Article: XXE Vulnerabilities. №1
by OstapBender - Friday December 15, 2023 at 04:16 PM
#1
Good afternoon, dear forum members!
Before we start looking at a very interesting and complex topic, I'd like to say a few words. It's quite possible that I'm going to be doing bullshit, but even if I am, this is something that can be dropped at any time and just rest. Just in case someone could use it! Now I'll get directly to the topic of the article.
XXE
When I studied XXE vulnerabilities, this topic left an indelible imprint on my mind and cost a decent amount of hair pulled out of my ass, well you get the picture. This topic was one of the ones that caused the most pain and destroyed a large number of nerve cells. Let's try to understand this type of vulnerability together today using a simple example.
XML External Entity (XXE) is a type of attack that exploits vulnerabilities in XML analyzers. An XXE attack can inject specially crafted XML content into the application that processes it. XXE allows objects to be identified based on the contents of a URL or file path. When the server reads the injected XML payload, it analyzes the external object, merges it with the final document, and returns it to the user with sensitive data inside.
Typically, applications without proper input validation and without external entity processing disabled in the XML parser are vulnerable to XXE. However, many XML parsers already have protection against XXE attacks.
XXE TYPES
XXE attacks are categorized into types based on what method is used to deliver the payload and what impact it has on penetration testing. There are 6 types of XXE attacks:
1. File Extraction - The most trivial application in which we can extract files from the target server
2. SSRF Attacks - using XXE attacks to perform SSRF (Server-Side Request Forgery) type attacks.
3. Blind XXE - an attack in which the attacker does not receive a response from the server, which can be used to understand if the application is vulnerable to XXE attacks.
4. File Upload Injection - an attack in which the attacker uploads a file containing XML components
5. Billion Laughs - a denial-of-service (DoS) attack
6. XInclude - an attack that injects a payload into the XInclude statement

We won't consider all these variants, we'll feel only what will be useful for solving practical tasks, and not all of them, otherwise it won't be interesting.
Let's move on to practice. We have a site vulnerable to XML.
Let's examine the request to this server. Launch Burp Suite and refresh the page, then look at the intercepted request.
[Image: 1700410457679-png.72232]
We don't see anything that reminds us of the XML format. No wonder, XML markup is sent by POST method. Let's change the request method, for what we put it into Repiter and choose Change request method in the menu.
[Image: 1700410548724-png.72233]
Now our request has the right method, send it out
[Image: 1700410680716-png.72234]
Oops! The app gets cocky and demands a tag. So how do we find it? Those who are learning can watch video tutorials and write a simple script in Python, which will generate the necessary load, thanks to which we will calculate the necessary tag. But today we will consider the simplest way - phasing.
We send our query to Intruder. And add the following markup to our query:
<?xml version="1.0"?>
<§§>XXE</§§>
Choose Pitchfork as the attack type and our favorite directory-list-2.3-medium as the dictionaries. We launch the attack and see a miracle. The XXE inscription is written in the title tag. So we will display the information we need through it.
[Image: 1700410775404-png.72235]
Reading files
First, let's try to output one of the system files, such as /etc/passwd. To do this, let's create a title entity and make it return the value of the file:
<!DOCTYPE test [<!ENTITY title SYSTEM "file:///etc/passwd">]>
<title>&title;</title>
[Image: 1700410857367-png.72236]
Cool!
Now I would like to draw your attention to the use of the file:// vrapper. In principle, in this case, we could not use it at all and the result would not change:
[Image: 1700410942865-png.72237]
In some cases it is necessary. Don't forget that in this case we need to set an absolute path. Without Wrapper, the file will be opened from the current directory.
Without Wrapper
[Image: 1700410991664-png.72238]
With Wrapper, no path (Nothing is there)
[Image: 1700411029188-png.72239]
With Wrapper, with path indication
[Image: 1700411089543-png.72240]
Read the continuation of this article in part two. Only 10 images per message are allowed.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Article: No. 2 Methods of obtaining a Reverse shell OstapBender 0 703 12-16-2023, 08:34 PM
Last Post: OstapBender
  Article: No. 1 Methods of obtaining a Reverse shell OstapBender 0 683 12-16-2023, 08:09 PM
Last Post: OstapBender
  Article: №3 Automating the exploitation of blind Time-based SQL injection using Burp OstapBender 0 674 12-16-2023, 07:04 PM
Last Post: OstapBender
  Article: №2 Automating the exploitation of blind Time-based SQL injection using Burp OstapBender 0 657 12-16-2023, 06:33 PM
Last Post: OstapBender
  Article: Automating the exploitation of blind Time-based SQL injection using Burp Sui OstapBender 0 636 12-16-2023, 06:09 PM
Last Post: OstapBender



 Users browsing this thread: 1 Guest(s)