XXE & Path Traversal

May 5, 2022

Exploitation of XXE (XML External Entities) and Path Traversal vulnerabilities. Both attacks abuse how the server reads and interacts with the local file system and external sources.

1. XXE — XML External Entities

The XML standard allows the use of DTDs (Document Type Definitions). Within a DTD, External Entities can be declared. These act as dynamic variables that the XML parser fills by making system calls (like reading local files or making HTTP requests).

Classic Payload — Reading local files

If the web app parses user-supplied XML without disabling external entities, we can force it to read files like /etc/passwd:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root><data>&xxe;</data></root>

🔴 XXE Laboratory

I've created a simulated API endpoint that processes Stock checks via XML. The parser is vulnerable. Your mission is to inject an External Entity (SYSTEM) to read the /etc/passwd file.

>_ START CTF 05 CHALLENGE

2. Path Traversal

Allows an attacker to read arbitrary files on the web server by escaping the allowed root directory using ../ sequences.

Exploitation and Evasion

http://target.com/download?file=../../../etc/passwd
http://target.com/file?name=..%2F..%2F..%2Fetc%2Fpasswd   # URL encoded
http://target.com/file?name=../../../etc/passwd%00.jpg   # Null Byte

Escalation to RCE (Log Poisoning)

If we can read local files, we can often read Apache logs. By injecting malicious PHP into our User-Agent header and using Path Traversal to include the log file in the webpage, the server will execute our PHP code.

3. Countermeasures

<?php
/* XXE DEFENSE */
libxml_disable_entity_loader(true); // Disable for PHP < 8.0

/* PATH TRAVERSAL DEFENSE */
$base = '/var/www/files/';
$real = realpath($base . $_GET['file']);
if ($real === false || strpos($real, $base) !== 0) {
    http_response_code(403); die('Access denied');
}
readfile($real);
?>