WEll knonw XML attacks
XLST related
Xlnclude attacks
Entity-based attack
Billion language
SHOW EXCITING WAYS TO EXPLOIT XXE:
XML derivates
XML entities – többoldalú szabvány, változók amiket a törzsben raktároznak.
Parameter entities:
Special type of entity:
Using% instead of &
More flexible
Declaration of externat DTD
Can not be used in XML body
XML syntax is not
Out of Bounds:
Sending local file content
External parameter entity
Different protocol handlers
FTP, http
„Group Policy Preferences”
XXE meets inter protocol exploitation
Requirements:
Encapsulation
Error tolerance
Main difficulty: limited character set
Let’s check some XML parsers’ badchars
Internet Explorer is Lower than 0x80, URL-encodes some char(e.g. space ->%20, Cuts newlines
Visual Studio -> URL encodes every non alpanumeric chars..
Alphanum shellcode -> Restricted to alphanumeric characters
UTF-8 too!
„jmp esp” – eljutás a célhoz ( az út csak ASCI karakterekből áll)
Garming Training Center alkalmazás
XXE the AV
Original idea: .docx vs. virus scanners
Grepped ClamAV, these can deal XAR:
AVG, Ad-Aware, Avast,Avira,BitDefender……