XML External Entity (XXE)
XXE Explorer
Scenario:
Craw.in, a cutting-edge data analytics company, has recently launched a new service for processing XML data uploaded by clients. Their internal security team (that's you!) has identified a potential vulnerability in the XML parsing logic. You need to exploit it to prove the risk. The target server is running a simple web application. You can interact with it through the provided web interface.
Challenge Overview:
You'll be interacting with a web application that allows uploading XML files. Your goal is to exploit an XXE vulnerability to read sensitive information from the server's file system. Remember, all answers must be a single word.
Scenario 1.
You upload an XML file, and the server returns an error. It seems like the server is checking if the XML is well-formed. You need to create a minimal valid XML document to bypass this check.
Question
What is the basic XML declaration needed to make the server happy? (Start with "<" and ends with ">")
Scenario 2.
Now the server accepts your XML file. You need to define an external entity. The entity name will be "xxe". The file location is not important now.
Question:
What XML element defines an entity?
Scenario 3.
You've defined an entity, but nothing happens. You need to actually use the entity in your XML document. It is good to define system entity
Question:
How do you reference the entity "xxe" in your XML? (e.g., similar to &something;)
Scenario 4.
Now it's time to read local files. You will attempt to read /etc/passwd.
Question:
What should be in the SYSTEM definition of the entity to read a local file? (Give the full system name with path)
Scenario 5.
You successfully read the contents of /etc/passwd. It seems the application doesn't display the full content of the file. You need to target another file that is shorter and potentially more revealing. Your next target is /etc/hostname.
Question:
Which file do you need to specify in the System name to read the hostname?
Scenario 6.
You successfully read /etc/hostname. You decide to read files in /var/log folder. The server return "file not found" message, the folder access is restrited.
Question:
which command to use to access the local resource?
Scenario 7.
Now you want to try reading an application configuration file that might contain database credentials or API keys. Assume there's a configuration file at /opt/craw.in/config.ini.
Question:
what is the name of the folder in system name to try read the application configuration file?
Scenario 8.
Craw.in has a legacy system where internal IP addresses are sometimes stored in a specific file. You suspect this file is located at /opt/internal_ips.txt.
Question:
What is the IP address for /opt/internal_ips.txt file?