What is XML external entity injection?
XML external entity injection is a security vulnerability that normally allows a bad guy by executing the XML data of the application’s processing. A bad guy will able to view files on the application server filesystem which the bad guy can escalate an XML attack to compromise the vulnerable server or on other back-end infrastructure. This method is also able to leverage the XML vulnerability to execute SSRF attacks
Demonstration on the attack
The demonstration is taken here
Gaining Privilges Access
A website interface such as Bounty Report System – Beta will appear just like the screenshot above.
Let’s test the beta system by inserting a single character on the Bounty Report System Beta website
Based on the result found during the burp suite activity, we managed to notice that data have been base64 encode
As a result, we can sight there’s an XML code from decoded the base64
I have done some research on XML External Entity Injection which some of the resources is extremely useful to us in the future.
Let’s run gobuster tool to enumerate further for any file or directory. The command that we can use in this activity is as below:
gobuster dir -u <ip> -w /<Path to>/Seclists/Discovery/Web-Content/big.txt
We have failed to get any files that look interesting to us.
Let’s run again gobuster but with an additional command (-x php) this time. It does resulting show a few PHP file extensions stored on the website such as db.php, index.php, and more.
Why search for PHP files on the website?
It’s because I did notice there’s a file extension of PHP when browsing to Portal webpage.
We will encode the XML code into base64 code using the CyberChef Interface as shown above.
We need to copy-paste the base64 code that we obtain from the CyberChef website on the data= at the bottom of the Request Packet. The Response that we will be retrieving can be seen in the Response column
We need to modify the XML code and also need to encode it into Base64 code so that we can do the same process as previously.
In the title column, we can see some base64 code which we should decode it so that we can fully read the code in plain text