XML external entity (XXE)
https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/xxe?ref_type=heads
Step 1: Understand the Vulnerability
The code in
index.phpdisables the entity loader and then processes XML input with potentially dangerous settings (LIBXML_NOENTandLIBXML_DTDLOAD). These settings allow external entities and DTDs to be processed, which is the core of the XXE vulnerability.
Step 2: Create and Run the Bash Script
1.Create the Bash Script: Create a file named xxe.sh and add the provided Bash script to it.
- Explanation of the Script:
echo $1 > _tmp/strip: Takes the first argument passed to the script ($1) and writes it to a file named_tmp/strip.php -S 127.0.0.1:8080 -t xxe &: Starts a PHP built-in server on127.0.0.1(localhost) at port8080, serving files from thexxedirectory. The&at the end runs the server in the background.Open the URL with the Malicious XML Payload: The script opens the URL that includes the XML payload. The payload is URL-encoded and crafted to exploit the XXE vulnerability by attempting to read the
/etc/passwdfile.wait: Waits for all background jobs to finish before terminating the script. This ensures that the PHP server continues running until the script is manually stopped or all background processes are completed.
2.Make the Script Executable: Change the script's permissions to make it executable.
3. Run the script:
Expected Outcomes:
The expected outcome of running the
xxe.shscript and exploiting the XXE vulnerability in the providedindex.phpcode is to see the contents of the/etc/passwdfile displayed in the browser. This file typically contains information about the user accounts on a Unix-based system.The browser should display the contents of the
/etc/passwdfile. A typical/etc/passwdfile contains lines like these:
Each line in the /etc/passwd file provides details about a user account, including the username, user ID (UID), group ID (GID), user description, home directory, and shell.
Last updated