Shulou(Shulou.com)05/31 Report--

How to find Bol.com website XXE loopholes and successful use, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Select a target

As always, we need a good goal. Bol.com is one of the largest e-commerce websites in the Netherlands. They were very active in dealing with the open redirection error reports I submitted; quickly replied, fixed, and always sent me updates. No extra trouble, no NDA confidentiality agreement, a relaxed and cheerful tone. It can be said that this is a perfect example of other companies dealing with responsible disclosure. It's also a company worth joining.

Before we start the formal content, let's take a look at what XXE,LFI and RCE are.

Local file inclusion (LFI) is the process of displaying internal server files in the server response. Remote code execution (RCE) is the process of executing our own code on the server.

Usually LFI errors can cause RCE; to have a lot of tricks to upgrade LFI to RCE.

RCE vulnerabilities pose a huge threat to server security because it may eventually lead to a complete server takeover. Although most servers execute code from Web servers under access-restricted accounts, the operating system itself still has some flaws from time to time. A flaw that allows you to bypass this particular access restriction. You may have used this type of bug; in the past by jailbreaking iOS or root your Android phone on iPhone. Both use bug to take over the operating system. We call this kind of attack an empowerment.

XML external entity (XXE) attacks are based on extended XML files, loading local files and external URL. It can lead to LFI and RCE, so it is also very threatening. Although the XXE attack was discovered more than a decade ago, you can still find this vulnerability on many websites today.

Extensible markup language (XML)

XML is a markup language that allows you to create documents that are easy for both computers and people to read. Although some people say that the language is out of date, it is still used in many places today.

If we take a closer look at the example, we will notice that contents is between tags, such as contents. Therefore, we should escape specific characters within the tag. Otherwise, it is possible to maliciously inject tags and manipulate the entire XML file. By default, XML escapes the &'"character to an entity like & amplt;>&'", so we can still use characters without destroying the XML file.

A nice feature of XML is that it allows us to define our own entities by including Document type definitions (DTD) in XML documents. As shown below.

DTD example:

Example DTD] > ToveJaniReminder&body; uses the XML parser

But what if the parser allows us to define files instead of strings? The result will be that the entity is replaced by the contents of the file. By changing to some parsers, the contents of the / etc/passwd file will be displayed directly to us.

In addition to LFI, some XML parsers allow us to load external URL; simply by replacing the file:// string with http://. Webserver will request this URL. This can lead to SSRF attacks; you can also request an internal webserver, scan open ports, and map the internal network. Can you access the local webservers that contains metadata? If so, you may end up with a $25000 loophole reward.

Other possibilities are direct acquisition of RCE and denial of service attacks through the PHP module.

The above LFI attack works only if our input is returned somewhere. Otherwise, we will not be able to read the replaced entity. If you encounter this situation, you can use the following techniques to leak data.

Blind XXE? Data leakage through HTTP/FTP request for external DTD

So the server parses your XML but doesn't show you what's in the response?

Since you can load external DTD, you can attach custom entities to external URL. As long as the URL is valid, it will load the URL with attached content. Note that characters like # break url.

XXEserve

XXEserve is a great tool created by staaldraad to capture XXE requests. It is a simple FTP/HTTP server that displays all our requests to the server. It also forges a FTP server; HTTP sometimes fails and FTP keeps working because of the characters in the string.

Quick start

1. Install XXEserv on a public server

two。 Create an external DTD file (that is, sp2.dtd) that contains the file or (internal) URL to be leaked. Replace x.x.x.x with the IP address or hostname of the server:

3. Place this external DTD file in the XXEserv directory. XXEserv acts as a public ftp and Web server; so we can now link to this file.

4. Send the XML payload to the victim, including our external DTD:

ToveJaniReminder&body

5. Observe the output of XXEserv

If you want to view different variants of XXE payloads, click here [1] [2].

We need to find a way to upload or inject our XML code into Bol.com. We can start with their "seller's portal". In most cases, sellers can upload pictures or other files related to their products.

This part of the site allows users to upload products that are ready for sale (again).

A short Dutch sentence: "Aanbod beheren via excel'" means "manage inventory in excel".

This interface consists of three steps:

1. Download the Excel file containing the current inventory

two。 Upload changed Excel files

3. View the upload result

Inventory Excel file

The extension of the Excel file is XLSX. This is an open file format developed by Microsoft; it is a zip file that contains multiple XML files.

Let's extract this file.

If we open sheet1.xml, we will see the following code.

Suppose we want to try to inject the file contents of / etc/passwd into the Offer description (this is the G4 cell, see the original Excel worksheet).

As we can see in the figure, the string 'Sample description' is referenced by id 108. Let's add a custom entity to the worksheet and replace this cell value with our custom entity.

We save the file, compress the folder again, and rename the file to xlsx.

Let's see what happens if we upload the file in step 2, let it load, and then download the file again from step 1. If the XXE attack works, it will update our sample product (line 4 in Excel) and inject the contents of the / etc/passwd file into the product's price tag.

POC

You can see that we succeeded in getting the content in / etc/passwd. Now is the time to write a report and inform them!

The next step is to check that the server supports cloud metadata, check the configuration file that contains the API key, and see if you can upgrade from LFI to RCE.

However, since the result had a sufficient impact on the goal, I decided to inform Bol.com immediately. I asked them if they needed me to do further testing and upgrade this to RCE. But before they reply, the error has been fixed: -)

File enumeration

If we try to parse the directory instead of the file (that is), the XML parser used by Bol.com returns the file name (as a large string). This allows us to quickly enumerate all the files on the server without exploding file names.

Mass XXE injection

You can inject XXE payload into a large number of files. Therefore, every time you upload a picture, it is a potential XXE vulnerability. Buffalo has created a great tool to help you easily embed XXE payload into all these different files.

By editing the XML file, we can include the contents of the local server file as a string in the upload. We can then download this document, so we can read private files from one of the production servers.

Solution

The best solution is to disable any DTD support in the XML parser. For more information, see OWASP's overview of different parsers and their configurations.

Influence

-Local files contain

-possible local denial of service attack (unconfirmed)

-possible RCE (not confirmed)

-possible SSRF (not confirmed)

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.