21 hours 43 minutes
X X E attacks
are learning objectives are to understand what Xml external entities. Xxi injection attacks are
and identify how to exploit *** e.
Xml external entities is a mouthful, so I'm glad they've abbreviated it here with an acronym.
So what is Xxi? It's a vulnerability that allows an attacker to
to interfere with the way an application works that parses xml.
in this case it allows us to view files on that server.
In some cases it allows us to execute commands and also allows us to do things like reach out to our own server.
So when you see xml data being parsed, when you when you can see the underlying
architecture of the server,
it then allows us to try to figure out, Well, can we leverage this? If I see there's something this is Xml in here is maybe this is something that I can leverage into an attack.
So like I said, it can leverage SSR F which stands for service side request forgery, meaning that you're using that server to either enumerate itself in timing attacks. Maybe you can figure out what ports are open or also enumerate the internal network it's on to figure out if other hosts
are up on that internal network. So we can pivot into that network
leveraging X X E. And like I said, Xxi is it has become very popular recently. Um it's not in the P W K material that I've seen,
but it is in the A W A E, the offensive Security advanced Web attack course. And I've seen it in production environments. So I know it's out there and I'm glad offensive security has shown this because this is something that does affect production applications. And when it does it can be pretty serious.
applications that parse xml things like soap or simple object access protocol, applications that use that.
So here we have an application and
we have to figure out the structure of xml. Xml is not like html. Hypertext markup language. They're both markup languages,
but html has tags like body tags or an html tag
or things that we know. Title thing, tags that we that are defined. Xml has its own you can name it anything like this. You can name it anything right here. You can name the tags anything. So you have to know what the tags are
in order to inject our payload into it.
So here we have a user and a password tag.
So we're gonna take these tags and we're gonna try to inject our own syntax into it.
So what do I mean by that?
So here is this payload XML version one with some encoding information,
doc type foo So that could be anything
entity is *** e evil. So I'm calling I'm saying evil. So Xxi you'll see that and xxi semi colon is now nested
and you can see on the right it says you have logged in as evil. So I'm able to create my own entity and inject my own here evil payload into that.
So let's leverage that further.
So now we're gonna do is we're going to call it file. I'm gonna look for the etc. Password file
and we know that this is a Lennox box Debian from the response header
and now we see the etc password file.
You can also do this with the expect command in PHP but keep in mind the expect command is disabled by default. So you have to get lucky to be able to do the expect command and execute commands on this box. I'll show you that in the demo.
we can also read PHP files um
meaning that the source if you look at a PHP
page and you view the source, you can't see the PHP code itself
while leveraging Xxi. You can
So I'm using a filter here to convert the
Text into Base 64.
And you can see here you have logged in as on the response and this whole giant mess of letters. That's base 64 encoding. Well you should be thinking I'm using Burp suite. What does Burp suite have? It has a decoder.
So I used the decoder and a decoded as base 64 you can see here, I can see that PHP tag and I can read the PHP of the page which typically you're not allowed to do, we're not able to do. So you can leverage Xxi into seeing the source, the PHP
of the page.
You can also leverage this into S Srf.
So if you have Burp suite pro, you might have seen this because you have collaborative client which basically burp suite or when it does, the active scan will try to reach out to a collaborator client server. And it will tell you if it was successful, whether it was a DNS request or an http request will tell you
if this server through an Xxi vulnerability,
I was able to reach out remotely.
So as you can see here, I'm leveraging uh this system command to my own server where I have net cat set up and you can see I made a connection to my own server.
So let me now show you a demo.
So I've come across this page and it's a mess.
Like I said, I'd like to view source, it makes it cleans it up a bit,
but I can see things that say load xml. So I should start thinking maybe I can leverage *** e
I'm gonna change this into a
now. What I need to do is figure out where this is nested and you kind of saw that already
in the slides.
But if I just try user which I know user, the user tag is in here. If I try this, it's not gonna work. We don't see ninja,
we need to figure out where this is nested. So I could call this anything fu
and let's give that a try.
Well I didn't like that because I didn't do this. Right, So let me do this correctly,
try this again
and it says you have logged in as user ninja.
So now let's try to see if this is vulnerable to an Xxi attack.
Let's see if I can inject something into user here.
So what I've done now is
where this is test
it should say Xxi you have logged in as user X. X. E.
And we see we can so I can
enter my own entity into the user
uh tag here.
So now let's take this a step further
and let's look for our beloved etc. Password file
I mean we could change it to something else. Right
okay so there's something a little different we can see this. Um So let's see if we can do the expect command.
Like I said this is this is not enabled by default in PHP. So we have to hope that the admin enabled this.
So I'm just gonna do the I. D. Command
and we can see that we were successful. We now see that we're dub dub, dub data so I I could do other commands here.
Now this took me a little bit to figure out but you can't have spaces here. I wanted to execute a shell.
what I should have here is
we should have our shell from the last one. I want to move to shell PHP
And I am going to stand up my server again, Python three.
And what I want to do now is do curl command
to have this server
download that shell dot PHP file.
So what I'll do
is we're curling, I have this dollar sign ifes. That's a space. So curl. Oh
and you also have to mess around with the single quotes here.
I'm having it reach out and try to get this PHP file so I'll send this
and see if it got my shell
which I see it didn't. So I need to check my syntax here
and you can see I don't have a colon in here because expect doesn't allow a colon.
So it says undetermined quote string. So this is where we do some debugging, right?
So I see maybe I forgot a single quote here
and now I see that it did in fact
download this file,
we can see this. Get request.
So let's see if it's actually in there.
I'm going to do Ls and hopefully we see shell dot PHP
and we do.
So I also have to set up
our Medicine plate framework here.
So now what I should be able to do is execute this with a PHP command.
So I'm going to do now is
don't forget you need to do that ifs for your space.
So we have PHP space shelled out PHP
Again I need to add that little single quote because we need to balance our quotes
and we can see that
uh multi handlers running
so let's execute this and see if we get a shell
so we sent it and we can see in fact
that we did get a shell
and now we're on the box
so that's how to leverage and xxi attack both by reading files, we read the etc. Password file in etc. Hosts file as well as looking for the to see if expect was enabled, which luckily it was
into now getting a shell on the box.