XXE Attacks

00:01

X X E attacks

00:03

are learning objectives are to understand what Xml external entities. Xxi injection attacks are

00:10

and identify how to exploit *** e.

00:13

Xml external entities is a mouthful, so I'm glad they've abbreviated it here with an acronym.

00:19

So what is Xxi? It's a vulnerability that allows an attacker to

00:25

to interfere with the way an application works that parses xml.

00:30

So

00:32

in this case it allows us to view files on that server.

00:37

In some cases it allows us to execute commands and also allows us to do things like reach out to our own server.

00:46

So when you see xml data being parsed, when you when you can see the underlying

00:53

architecture of the server,

00:55

it then allows us to try to figure out, Well, can we leverage this? If I see there's something this is Xml in here is maybe this is something that I can leverage into an attack.

01:06

So like I said, it can leverage SSR F which stands for service side request forgery, meaning that you're using that server to either enumerate itself in timing attacks. Maybe you can figure out what ports are open or also enumerate the internal network it's on to figure out if other hosts

01:23

are up on that internal network. So we can pivot into that network

01:27

leveraging X X E. And like I said, Xxi is it has become very popular recently. Um it's not in the P W K material that I've seen,

01:38

but it is in the A W A E, the offensive Security advanced Web attack course. And I've seen it in production environments. So I know it's out there and I'm glad offensive security has shown this because this is something that does affect production applications. And when it does it can be pretty serious.

01:57

So

01:59

applications that parse xml things like soap or simple object access protocol, applications that use that.

02:07

So here we have an application and

02:12

we have to figure out the structure of xml. Xml is not like html. Hypertext markup language. They're both markup languages,

02:20

but html has tags like body tags or an html tag

02:25

or things that we know. Title thing, tags that we that are defined. Xml has its own you can name it anything like this. You can name it anything right here. You can name the tags anything. So you have to know what the tags are

02:40

in order to inject our payload into it.

02:45

So here we have a user and a password tag.

02:49

So we're gonna take these tags and we're gonna try to inject our own syntax into it.

02:54

So what do I mean by that?

02:57

So here is this payload XML version one with some encoding information,

03:01

doc type foo So that could be anything

03:05

entity is *** e evil. So I'm calling I'm saying evil. So Xxi you'll see that and xxi semi colon is now nested

03:15

in user

03:16

and you can see on the right it says you have logged in as evil. So I'm able to create my own entity and inject my own here evil payload into that.

03:28

So let's leverage that further.

03:30

So now we're gonna do is we're going to call it file. I'm gonna look for the etc. Password file

03:35

and we know that this is a Lennox box Debian from the response header

03:39

and now we see the etc password file.

03:44

You can also do this with the expect command in PHP but keep in mind the expect command is disabled by default. So you have to get lucky to be able to do the expect command and execute commands on this box. I'll show you that in the demo.

04:00

Yeah,

04:01

we can also read PHP files um

04:05

meaning that the source if you look at a PHP

04:09

page and you view the source, you can't see the PHP code itself

04:14

while leveraging Xxi. You can

04:15

So I'm using a filter here to convert the

04:19

Text into Base 64.

04:23

And you can see here you have logged in as on the response and this whole giant mess of letters. That's base 64 encoding. Well you should be thinking I'm using Burp suite. What does Burp suite have? It has a decoder.

04:34

So I used the decoder and a decoded as base 64 you can see here, I can see that PHP tag and I can read the PHP of the page which typically you're not allowed to do, we're not able to do. So you can leverage Xxi into seeing the source, the PHP

04:54

of the page.

04:57

You can also leverage this into S Srf.

05:00

So if you have Burp suite pro, you might have seen this because you have collaborative client which basically burp suite or when it does, the active scan will try to reach out to a collaborator client server. And it will tell you if it was successful, whether it was a DNS request or an http request will tell you

05:19

if this server through an Xxi vulnerability,

05:23

I was able to reach out remotely.

05:26

So as you can see here, I'm leveraging uh this system command to my own server where I have net cat set up and you can see I made a connection to my own server.

05:40

So let me now show you a demo.

05:46

So I've come across this page and it's a mess.

05:50

Like I said, I'd like to view source, it makes it cleans it up a bit,

05:55

but I can see things that say load xml. So I should start thinking maybe I can leverage *** e

06:00

I'm gonna change this into a

06:03

post request

06:05

now. What I need to do is figure out where this is nested and you kind of saw that already

06:11

in the slides.

06:15

But if I just try user which I know user, the user tag is in here. If I try this, it's not gonna work. We don't see ninja,

06:24

we need to figure out where this is nested. So I could call this anything fu

06:30

fool

06:31

and let's give that a try.

06:35

Well I didn't like that because I didn't do this. Right, So let me do this correctly,

06:41

try this again

06:43

and it says you have logged in as user ninja.

06:46

So now let's try to see if this is vulnerable to an Xxi attack.

06:53

Let's see if I can inject something into user here.

06:59

So what I've done now is

07:01

where this is test

07:03

it should say Xxi you have logged in as user X. X. E.

07:09

And we see we can so I can

07:11

enter my own entity into the user

07:15

uh tag here.

07:18

So now let's take this a step further

07:24

and let's look for our beloved etc. Password file

07:35

etc. Password.

07:38

I mean we could change it to something else. Right

07:46

okay so there's something a little different we can see this. Um So let's see if we can do the expect command.

07:55

Like I said this is this is not enabled by default in PHP. So we have to hope that the admin enabled this.

08:05

So I'm just gonna do the I. D. Command

08:07

and we can see that we were successful. We now see that we're dub dub, dub data so I I could do other commands here.

08:16

Now this took me a little bit to figure out but you can't have spaces here. I wanted to execute a shell.

08:22

So

08:24

what I should have here is

08:26

we should have our shell from the last one. I want to move to shell PHP

08:31

And I am going to stand up my server again, Python three.

08:37

Yeah

08:37

On 48,000.

08:41

And what I want to do now is do curl command

08:45

to have this server

08:46

download that shell dot PHP file.

08:56

So what I'll do

09:01

is we're curling, I have this dollar sign ifes. That's a space. So curl. Oh

09:07

and you also have to mess around with the single quotes here.

09:11

I'm having it reach out and try to get this PHP file so I'll send this

09:20

and see if it got my shell

09:24

which I see it didn't. So I need to check my syntax here

09:31

and you can see I don't have a colon in here because expect doesn't allow a colon.

09:37

So it says undetermined quote string. So this is where we do some debugging, right?

09:43

So I see maybe I forgot a single quote here

09:48

and now I see that it did in fact

09:52

download this file,

09:54

we can see this. Get request.

09:58

So let's see if it's actually in there.

10:03

I'm going to do Ls and hopefully we see shell dot PHP

10:07

and we do.

10:11

So I also have to set up

10:16

our Medicine plate framework here.

10:22

So now what I should be able to do is execute this with a PHP command.

10:28

So I'm going to do now is

10:31

don't forget you need to do that ifs for your space.

10:41

So we have PHP space shelled out PHP

10:46

Again I need to add that little single quote because we need to balance our quotes

10:50

and we can see that

10:52

uh multi handlers running

10:56

so let's execute this and see if we get a shell

11:01

so we sent it and we can see in fact

11:05

that we did get a shell

11:09

and now we're on the box

11:13

so that's how to leverage and xxi attack both by reading files, we read the etc. Password file in etc. Hosts file as well as looking for the to see if expect was enabled, which luckily it was