XML External Entity
An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
Summary
Tools
staaldraad/xxeftp - A mini webserver with FTP support for XXE payloads
lc/230-OOB - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via http://xxe.sh/
enjoiz/XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
BuffaloWill/oxml_xxe - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)
whitel1st/docem - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc
bytehope/wwe - PoC tool (based on wrapwrap & lightyear ) to demonstrate XXE in PHP with only LIBXML_DTDLOAD or LIBXML_DTDATTR flag set
Detect The Vulnerability
Internal Entity: If an entity is declared within a DTD it is called an internal entity. Syntax: <!ENTITY entity_name "entity_value">
External Entity: If an entity is declared outside a DTD it is called an external entity. Identified by SYSTEM. Syntax: <!ENTITY entity_name SYSTEM "entity_value">
Basic entity test, when the XML parser parses the external entities the result should contain "John" in firstName and "Doe" in lastName. Entities are defined inside the DOCTYPE element.
It might help to set the Content-Type: application/xml in the request when sending XML payload to the server.
Exploiting XXE to Retrieve Files
Classic XXE
We try to display the content of the file /etc/passwd.
⚠️ SYSTEM and PUBLIC are almost synonym.
Classic XXE Base64 Encoded
PHP Wrapper Inside XXE
XInclude Attacks
When you can't modify the DOCTYPE element use the XInclude to target
Exploiting XXE to Perform SSRF Attacks
XXE can be combined with the SSRF vulnerability to target another service on the network.
Exploiting XXE to Perform a Denial of Service
⚠️ : These attacks might kill the service or the server, do not use them on the production.
Billion Laugh Attack
YAML Attack
Parameters Laugh Attack
A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping.
Exploiting Error Based XXE
Error Based - Using Local DTD File
If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename.
GoSecure/dtd-finder - List DTDs and generate XXE payloads using those local DTDs.
Linux Local DTD
Short list of DTD files already stored on Linux systems; list them with locate .dtd:
The file /usr/share/xml/fontconfig/fonts.dtd has an injectable entity %constant at line 148: <!ENTITY % constant 'int|double|string|matrix|bool|charset|langset|const'>
The final payload becomes:
Windows Local DTD
Payloads from infosec-au/xxe-windows.md.
Disclose local file
Disclose HTTP Response
Error Based - Using Remote DTD
Payload to trigger the XXE:
Content of ext.dtd:
Alternative content of ext.dtd:
Let's break down the payload:
<!ENTITY % file SYSTEM "file:///etc/passwd">This line defines an external entity named file that references the content of the file /etc/passwd (a Unix-like system file containing user account details).<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">This line defines an entity eval that holds another entity definition. This other entity (error) is meant to reference a nonexistent file and append the content of the file entity (the/etc/passwdcontent) to the end of the file path. The%is a URL-encoded '%' used to reference an entity inside an entity definition.%eval;This line uses the eval entity, which causes the entity error to be defined.%error;Finally, this line uses the error entity, which attempts to access a nonexistent file with a path that includes the content of/etc/passwd. Since the file doesn't exist, an error will be thrown. If the application reports back the error to the user and includes the file path in the error message, then the content of/etc/passwdwould be disclosed as part of the error message, revealing sensitive information.
Exploiting Blind XXE to Exfiltrate Data Out of Band
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
Basic Blind XXE
The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
Send the content of /etc/passwd to "www.malicious.com", you may receive only the first line.
Out of Band XXE
Yunusov, 2013
XXE OOB with DTD and PHP Filter
XXE OOB with Apache Karaf
CVE-2018-11788 affecting versions:
Apache Karaf <= 4.2.1
Apache Karaf <= 4.1.6
Send the XML file to the deploy folder.
WAF Bypasses
Bypass via Character Encoding
XML parsers uses 4 methods to detect encoding:
HTTP Content Type:
Content-Type: text/xml; charset=utf-8Reading Byte Order Mark (BOM)
Reading first symbols of document
UTF-8 (3C 3F 78 6D)
UTF-16BE (00 3C 00 3F)
UTF-16LE (3C 00 3F 00)
XML declaration:
<?xml version="1.0" encoding="UTF-8"?>
UTF-8
EF BB BF
EF BB BF 3C 3F 78 6D 6C
...<?xml
UTF-16BE
FE FF
FE FF 00 3C 00 3F 00 78 00 6D 00 6C
...<.?.x.m.l
UTF-16LE
FF FE
FF FE 3C 00 3F 00 78 00 6D 00 6C 00
..<.?.x.m.l.
Example: We can convert the payload to UTF-16 using iconv to bypass some WAF:
XXE on JSON Endpoints
In the HTTP request try to switch the Content-Type from JSON to XML,
application/json
{"search":"name","value":"test"}
application/xml
<?xml version="1.0" encoding="UTF-8" ?><root><search>name</search><value>data</value></root>
XML documents must contain one root (
<root>) element that is the parent of all other elements.The data must be converted to XML too, otherwise the server will respond with an error.
XXE in Exotic Files
XXE Inside SVG
Classic:
OOB via SVG rasterization:
xxe.svg:
xxe.xml:
XXE Inside SOAP
XXE Inside DOCX file
Format of an Open XML file (inject the payload in any .xml file):
/_rels/.rels
[Content_Types].xml
Default Main Document Part
/word/document.xml
/ppt/presentation.xml
/xl/workbook.xml
Then update the file zip -u xxe.docx [Content_Types].xml
Tool : https://github.com/BuffaloWill/oxml_xxe
XXE Inside XLSX file
Structure of the XLSX:
Extract Excel file: 7z x -oXXE xxe.xlsx
Rebuild Excel file:
Warning: Use zip -u (https://infozip.sourceforge.net/Zip.html) and not 7z u / 7za u (https://p7zip.sourceforge.net/) or 7zz (https://www.7-zip.org/) because they won't recompress it the same way and many Excel parsing libraries will fail to recognize it as a valid Excel file. A valid magic byte signature with (file XXE.xlsx) will be shown as Microsoft Excel 2007+ (with zip -u) and an invalid one will be shown as Microsoft OOXML.
Add your blind XXE payload inside xl/workbook.xml.
Alternatively, add your payload in xl/sharedStrings.xml:
Using a remote DTD will save us the time to rebuild a document each time we want to retrieve a different file. Instead we build the document once and then change the DTD. And using FTP instead of HTTP allows to retrieve much larger files.
xxe.dtd
Serve DTD and receive FTP payload using staaldraad/xxeserv:
XXE Inside DTD file
Most XXE payloads detailed above require control over both the DTD or DOCTYPE block as well as the xml file. In rare situations, you may only control the DTD file and won't be able to modify the xml file. For example, a MITM. When all you control is the DTD file, and you do not control the xml file, XXE may still be possible with this payload.
Labs
References
Last updated