What is XXE(XML External Entity)?
XML external entity injection (XXE) is a web security vulnerability that allows a threat actor to inject unsafe XML entities into a web application that processes XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
What we have to do to solve the lab?
The goal is to read the content of the /etc/passwd file.
Also, we know that the vulnerabilty exist on the "check stock" feature, and we have to reference an existing DTD file on the server and redefine an entity from it, from the Hint. We know that the DTD file exists in /usr/share/yelp/dtd/docbookx.dtd and he contains an entity called ISOamso
I intercept the request from the Check stock feature.
Now, I will load the DTD file to override the ISOamso entity.
We see no errors, so the file exists.
Ok, what does this code mean?
First, we have to understand what a DTD is.
DTD is a document-type definition. DTD contains a set of rules that control the structure and elements of XML files.
The DTD is declared within the optional DOCTYPE element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an "internal DTD"), or can be loaded from elsewhere (known as an "external DTD"), or can be a hybrid of the two.
Inside the DTD, we declare a Parametric entity. What is an xml entity? An entity in XML is like a placeholder for text or data. It's a way to store information that you can reuse in your XML document. There are generally three types of entities in XML - Internal entities. - External entities. - Parametric entities.
Internal entities are like sticky notes that you write and keep within a book.
<!DOCTYPE foo [
<!ENTITY name "Example Corp">
]>External entities are like bookmarks that point to information outside of your XML document.
Parameter entities are a special kind of XML entity that can only be referenced elsewhere within the DTD. They are like variables that you can use to define parts of your document type definition (DTD) in XML.
Why did we use a parametric entity?
In this challenge, I think that external entities may be blocked.
Also, we are doing something more subtle than just reading a file. We are redefining an existing entity.
Now, we have to read the content of /etc/passwd file.
Now, we will explain the payload.
- Defines an XML parameter entity called
local_dtd, containing the contents of the external DTD file that exists on the server filesystem. - Redefines the XML parameter entity called
ISOamso, which is already defined in the external DTD file. The entity is redefined as containing the error-based XXE exploit, for triggering an error message containing the contents of the/etc/passwdfile.
I think that you have many questions about the payload.
What is this %?
Why didn't you use % instead of %?
Why do you define an entity evalWhy just create error entity only?
These are good questions.
What is this
%?
That is called a character reference (specifically a hexadecimal numeric character reference) in XML (and HTML).
So when an XML parser sees% it replaces it with %.
Why didn't you use
%instead of%?
Because when you declare an internal parametric entity, the xml parser finds % character Inside the quotes, he says that this has to be a parametric entity that has to be referenced, but when he reads the next character to % He finds space, but this is against the specification of xml he has to find "name" after it, and has to end with ; .
But we don't wanna expand the entity, we wanna declarean entity inside another entity, that's why we put % instead of % and after expanding the % will be %.
And this is also the reason why we write &#x25; It's just a double encoding of % character.
Why do you define an entity evalWhy just create error entity only?
If you understand the previous answer, you may know why. When you are declaring an external parameter entity, for example :
The entity inside the quote will not be referenced. But when we declare an internal parameter entity, it will be referenced.
