XXE Attacks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
X X E attacks
00:03
are learning objectives are to understand what Xml external entities. Xxi injection attacks are
00:10
and identify how to exploit *** e.
00:13
Xml external entities is a mouthful, so I'm glad they've abbreviated it here with an acronym.
00:19
So what is Xxi? It's a vulnerability that allows an attacker to
00:25
to interfere with the way an application works that parses xml.
00:30
So
00:32
in this case it allows us to view files on that server.
00:37
In some cases it allows us to execute commands and also allows us to do things like reach out to our own server.
00:46
So when you see xml data being parsed, when you when you can see the underlying
00:53
architecture of the server,
00:55
it then allows us to try to figure out, Well, can we leverage this? If I see there's something this is Xml in here is maybe this is something that I can leverage into an attack.
01:06
So like I said, it can leverage SSR F which stands for service side request forgery, meaning that you're using that server to either enumerate itself in timing attacks. Maybe you can figure out what ports are open or also enumerate the internal network it's on to figure out if other hosts
01:23
are up on that internal network. So we can pivot into that network
01:27
leveraging X X E. And like I said, Xxi is it has become very popular recently. Um it's not in the P W K material that I've seen,
01:38
but it is in the A W A E, the offensive Security advanced Web attack course. And I've seen it in production environments. So I know it's out there and I'm glad offensive security has shown this because this is something that does affect production applications. And when it does it can be pretty serious.
01:57
So
01:59
applications that parse xml things like soap or simple object access protocol, applications that use that.
02:07
So here we have an application and
02:12
we have to figure out the structure of xml. Xml is not like html. Hypertext markup language. They're both markup languages,
02:20
but html has tags like body tags or an html tag
02:25
or things that we know. Title thing, tags that we that are defined. Xml has its own you can name it anything like this. You can name it anything right here. You can name the tags anything. So you have to know what the tags are
02:40
in order to inject our payload into it.
02:45
So here we have a user and a password tag.
02:49
So we're gonna take these tags and we're gonna try to inject our own syntax into it.
02:54
So what do I mean by that?
02:57
So here is this payload XML version one with some encoding information,
03:01
doc type foo So that could be anything
03:05
entity is *** e evil. So I'm calling I'm saying evil. So Xxi you'll see that and xxi semi colon is now nested
03:15
in user
03:16
and you can see on the right it says you have logged in as evil. So I'm able to create my own entity and inject my own here evil payload into that.
03:28
So let's leverage that further.
03:30
So now we're gonna do is we're going to call it file. I'm gonna look for the etc. Password file
03:35
and we know that this is a Lennox box Debian from the response header
03:39
and now we see the etc password file.
03:44
You can also do this with the expect command in PHP but keep in mind the expect command is disabled by default. So you have to get lucky to be able to do the expect command and execute commands on this box. I'll show you that in the demo.
04:00
Yeah,
04:01
we can also read PHP files um
04:05
meaning that the source if you look at a PHP
04:09
page and you view the source, you can't see the PHP code itself
04:14
while leveraging Xxi. You can
04:15
So I'm using a filter here to convert the
04:19
Text into Base 64.
04:23
And you can see here you have logged in as on the response and this whole giant mess of letters. That's base 64 encoding. Well you should be thinking I'm using Burp suite. What does Burp suite have? It has a decoder.
04:34
So I used the decoder and a decoded as base 64 you can see here, I can see that PHP tag and I can read the PHP of the page which typically you're not allowed to do, we're not able to do. So you can leverage Xxi into seeing the source, the PHP
04:54
of the page.
04:57
You can also leverage this into S Srf.
05:00
So if you have Burp suite pro, you might have seen this because you have collaborative client which basically burp suite or when it does, the active scan will try to reach out to a collaborator client server. And it will tell you if it was successful, whether it was a DNS request or an http request will tell you
05:19
if this server through an Xxi vulnerability,
05:23
I was able to reach out remotely.
05:26
So as you can see here, I'm leveraging uh this system command to my own server where I have net cat set up and you can see I made a connection to my own server.
05:40
So let me now show you a demo.
05:46
So I've come across this page and it's a mess.
05:50
Like I said, I'd like to view source, it makes it cleans it up a bit,
05:55
but I can see things that say load xml. So I should start thinking maybe I can leverage *** e
06:00
I'm gonna change this into a
06:03
post request
06:05
now. What I need to do is figure out where this is nested and you kind of saw that already
06:11
in the slides.
06:15
But if I just try user which I know user, the user tag is in here. If I try this, it's not gonna work. We don't see ninja,
06:24
we need to figure out where this is nested. So I could call this anything fu
06:30
fool
06:31
and let's give that a try.
06:35
Well I didn't like that because I didn't do this. Right, So let me do this correctly,
06:41
try this again
06:43
and it says you have logged in as user ninja.
06:46
So now let's try to see if this is vulnerable to an Xxi attack.
06:53
Let's see if I can inject something into user here.
06:59
So what I've done now is
07:01
where this is test
07:03
it should say Xxi you have logged in as user X. X. E.
07:09
And we see we can so I can
07:11
enter my own entity into the user
07:15
uh tag here.
07:18
So now let's take this a step further
07:24
and let's look for our beloved etc. Password file
07:35
etc. Password.
07:38
I mean we could change it to something else. Right
07:46
okay so there's something a little different we can see this. Um So let's see if we can do the expect command.
07:55
Like I said this is this is not enabled by default in PHP. So we have to hope that the admin enabled this.
08:05
So I'm just gonna do the I. D. Command
08:07
and we can see that we were successful. We now see that we're dub dub, dub data so I I could do other commands here.
08:16
Now this took me a little bit to figure out but you can't have spaces here. I wanted to execute a shell.
08:22
So
08:24
what I should have here is
08:26
we should have our shell from the last one. I want to move to shell PHP
08:31
And I am going to stand up my server again, Python three.
08:37
Yeah
08:37
On 48,000.
08:41
And what I want to do now is do curl command
08:45
to have this server
08:46
download that shell dot PHP file.
08:56
So what I'll do
09:01
is we're curling, I have this dollar sign ifes. That's a space. So curl. Oh
09:07
and you also have to mess around with the single quotes here.
09:11
I'm having it reach out and try to get this PHP file so I'll send this
09:20
and see if it got my shell
09:24
which I see it didn't. So I need to check my syntax here
09:31
and you can see I don't have a colon in here because expect doesn't allow a colon.
09:37
So it says undetermined quote string. So this is where we do some debugging, right?
09:43
So I see maybe I forgot a single quote here
09:48
and now I see that it did in fact
09:52
download this file,
09:54
we can see this. Get request.
09:58
So let's see if it's actually in there.
10:03
I'm going to do Ls and hopefully we see shell dot PHP
10:07
and we do.
10:11
So I also have to set up
10:16
our Medicine plate framework here.
10:22
So now what I should be able to do is execute this with a PHP command.
10:28
So I'm going to do now is
10:31
don't forget you need to do that ifs for your space.
10:41
So we have PHP space shelled out PHP
10:46
Again I need to add that little single quote because we need to balance our quotes
10:50
and we can see that
10:52
uh multi handlers running
10:56
so let's execute this and see if we get a shell
11:01
so we sent it and we can see in fact
11:05
that we did get a shell
11:09
and now we're on the box
11:13
so that's how to leverage and xxi attack both by reading files, we read the etc. Password file in etc. Hosts file as well as looking for the to see if expect was enabled, which luckily it was
11:26
into now getting a shell on the box.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By