Demo: XML External Entities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 30 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Let's see XXE in action,
00:00
but before we do that,
00:00
I talked about in the slides file and how you
00:00
can look at local files in a web browser.
00:00
You'll see here when you load or you basically launch
00:00
Firefox is pulling from a local file here,
00:00
not from any external server or internal server is
00:00
pulling from a file and how we know that is if
00:00
I cut this file,
00:00
is I can see it here.
00:00
Off SEC has made it so that when you open up,
00:00
they've configured it so that when you open up Firefox,
00:00
it pulls this page for them.
00:00
It shows you all about Kali Linux. Pretty cool, right?
00:00
You can also leverage that to look at
00:00
local files like Etsy password.
00:00
I just do file as the password and I can see
00:00
my Etsy password file in all my local users.
00:00
Of course, if I'm running as root, which I am,
00:00
if I do shadow,
00:00
I can see my Etsy password.
00:00
I'm not going to show you, but again,
00:00
that's what makes this XXE attack interesting,
00:00
is we can test to see if the server is running as
00:00
root and read the Etsy shadow file and crack passwords.
00:00
SSH is there is available to us.
00:00
We can then login as the root user if we can crack
00:00
the password or any user that we can crack the password.
00:00
Going into Matillidae.
00:00
If we go here to OS 2017 XML validator right here,
00:00
they give us an example of what we can use.
00:00
If I just validate this,
00:00
you'll see we have some XML,
00:00
which could be our root message, Hello World.
00:00
The ending to these two tags here.
00:00
By that forward slash,
00:00
we see that it parsed it as HelloWorld.
00:00
Well, let's go to our next way
00:00
of testing to see if we can
00:00
inject or make our own entities
00:00
and see if we can inject that here.
00:00
Instead of doing Etsy password,
00:00
I'm going to delete the system here.
00:00
I'm going to create this entity called
00:00
XXE and put the text Cybrary.
00:00
You'll see we're injecting that here in message,
00:00
whereas an XXE semicolon,
00:00
and it says Cybrary.
00:00
I've noticed that in some cases,
00:00
what I can do is I can change
00:00
the root tag and it doesn't really affect anything.
00:00
I could do anything
00:00
here and then I could type anything here.
00:00
It should still say Cybrary.
00:00
You see it does. The only problem or
00:00
the only error that comes up is if
00:00
you name something different,
00:00
like if you have anything here and you
00:00
miss type it or miss spell it here,
00:00
you'll get an error back.
00:00
Now let's read local files.
00:00
Now let's read the Etsy password file.
00:00
Like you see here
00:00
your Etsy password and like
00:00
we saw here the Etsy password,
00:00
but of course this is on the server
00:00
here and not locally on my machine.
00:00
Now we're reading the Etsy password file
00:00
from this machine here.
00:00
We could do things like Etsy hosts and read all files.
00:00
The other thing I would probably check
00:00
from here is Etsy shadow and
00:00
see if I can see that if this server is running as root,
00:00
and we can see it's not.
00:00
Unfortunately for us.
00:00
The other thing I talked about was the ability
00:00
to read PHP pages.
00:00
Of course if I look at this page,
00:00
all I can see is the HTML.
00:00
If I go to View Page Source,
00:00
oh, I can see is the HTML.
00:00
If I want to target a particular page,
00:00
like the registration page here,
00:00
if I go to login and register,
00:00
if I want to read the PHP for this page,
00:00
as you see, again I can't see the PHP here.
00:00
But if I go back,
00:00
I can do this system PHP filter amid of
00:00
basically grab the PHP and base-64 encoding.
00:00
As you'll see here, registered PHP.
00:00
What I'll do is I'll grab
00:00
so a lot of base-64 encoding here.
00:00
Grab all this and I'm going to copy it.
00:00
Then I'm going to go to burp,
00:00
the decoder, and you'll see I've done this,
00:00
I've already done this prior to this exercise here,
00:00
is I've pasted it into
00:00
decoder and I've decoded this as base 64.
00:00
You can see now I can see PHP.
00:00
I can see some comments in
00:00
PHP like this code is insecure.
00:00
I can see how this page is written in PHP.
00:00
Which is interesting for me.
00:00
Because like I talked about in the slides,
00:00
if this pulls from a database,
00:00
maybe it has the username or the name of
00:00
the database and the password in it.
00:00
Now I know how to login to their MySQL database,
00:00
or I can see how the file structure is on this server.
00:00
I can now read the whole entire PHP of the page,
00:00
of course, the HTML as well.
00:00
But that's pretty useful information
00:00
to me as an attacker,
00:00
the ability to read PHP in addition to the HTML.
00:00
I know that was a shorter lesson,
00:00
but now you should be able to test for XXE attacks.
00:00
How we can read local files,
00:00
how we can see if we are with
00:00
the server is running as if it's
00:00
running with elevated permissions
00:00
and our ability if it is running PHP,
00:00
to then read PHP from the system.
00:00
Since this is a docker had some issues with it reaching
00:00
back out to my system here for SSRF.
00:00
But let's say in some circumstances,
00:00
instead of me putting PHP,
00:00
I could put my web server here or
00:00
whatever web server I can control
00:00
like if it's Berg collaborator,
00:00
I could put that here for to have it reach back out to
00:00
my server to validate server-side request forgery.
00:00
Or if it's internal,
00:00
I could change this to an internal IP address
00:00
and do timing attacks for particular ports.
00:00
80 of 80 takes two seconds,
00:00
and then I could do like 8888.
00:00
If that takes less than a second, it could be closed.
00:00
I'm going to timing attacks like that.
00:00
A lot of interesting things we can do with XXE.
Up Next
Scenario: Facebook XXE Vulnerability
10m
Lab: XML External Entities
45m