1 00:00:12,310 --> 00:00:18,150 Hey, guys, welcome back to another episode on how the heck so over here I have wept good running. 2 00:00:18,190 --> 00:00:23,290 So we're back to a Web application penetration testing series and we could look under a four, which 3 00:00:23,290 --> 00:00:25,500 is on XML external entities. 4 00:00:25,700 --> 00:00:26,890 So let's go ahead and click on it. 5 00:00:27,520 --> 00:00:35,440 So XML external entity is a way where we understand about how XML operates and how it is being passed 6 00:00:35,710 --> 00:00:38,920 into the Web application system for processing. 7 00:00:39,070 --> 00:00:47,200 And what kind of vulnerabilities and results can we obtain as the server process at an XML instructions. 8 00:00:47,240 --> 00:00:51,460 All right, so this leads us to the XML external entity attack. 9 00:00:52,240 --> 00:01:00,250 So XML entity allow us to use text to define what kind of content is going to be passed from an XML 10 00:01:00,250 --> 00:01:02,170 document into the system. 11 00:01:02,200 --> 00:01:02,470 All right. 12 00:01:02,480 --> 00:01:06,430 So there are internal and external as well as parameter entities. 13 00:01:06,670 --> 00:01:13,210 And as you can see here, we have a document type definition, document type definition and we have 14 00:01:13,210 --> 00:01:13,950 the DOCTYPE. 15 00:01:14,170 --> 00:01:22,060 So in this case we have B.L. Ogi around in the beginning with XML version 1.0 and there's other options 16 00:01:22,060 --> 00:01:22,780 that you can input. 17 00:01:22,950 --> 00:01:23,120 All right. 18 00:01:23,190 --> 00:01:24,910 So we can see all these different details. 19 00:01:25,180 --> 00:01:31,980 And of course, it's always being opened up by certain tagging Belloc, followed by closing a block 20 00:01:32,230 --> 00:01:37,920 so very similar to how you look at Hick's HTML as you structure structure to HTML. 21 00:01:38,140 --> 00:01:40,150 And this case it will be for XML. 22 00:01:40,930 --> 00:01:41,890 So what happens? 23 00:01:41,890 --> 00:01:42,030 Right. 24 00:01:42,040 --> 00:01:46,410 As you can see from this XML version, equal one point zero. 25 00:01:46,450 --> 00:01:49,210 So we have a DOCTYPE and we have the entity. 26 00:01:50,140 --> 00:01:54,660 So we have entity gess and we define it as Joe Smith. 27 00:01:54,670 --> 00:01:54,920 All right. 28 00:01:54,940 --> 00:02:01,170 And of course here we have the output, which is the autre nt JS semicolon. 29 00:02:01,180 --> 00:02:07,390 So this will pull out Jospeh Smith as a result and it goes into the parser and from the parser it will 30 00:02:07,390 --> 00:02:11,650 then just return block and alter information. 31 00:02:11,830 --> 00:02:12,180 All right. 32 00:02:12,520 --> 00:02:13,440 So as you can see here. 33 00:02:13,580 --> 00:02:13,860 Right. 34 00:02:13,880 --> 00:02:21,760 So this help us be able to actually create constant be able to put certain information. 35 00:02:21,760 --> 00:02:26,920 And of course, here we have a Java application XML to get data from the client to the server. 36 00:02:27,670 --> 00:02:29,550 So as you can see here once again, right. 37 00:02:30,010 --> 00:02:36,400 It sent into Java XML parser and after, which helps define certain information. 38 00:02:36,800 --> 00:02:42,100 OK, so as a result of that, this is what we call the XML external entity. 39 00:02:42,860 --> 00:02:49,060 So this is the part where we push information into the web application system, order parser and the 40 00:02:49,060 --> 00:02:53,050 parser will actually pull out certain information for us. 41 00:02:53,290 --> 00:02:53,520 All right. 42 00:02:53,540 --> 00:03:02,230 Like system issue commands the rows of users, certain confidential information, certain directories, 43 00:03:02,230 --> 00:03:08,110 listing of directories, files and folders inside a particular part of the server. 44 00:03:08,410 --> 00:03:14,230 So this is the place where we can launch all these different attacks by uploading an XML document or 45 00:03:14,230 --> 00:03:18,670 information XML information into the Web application server and system. 46 00:03:18,910 --> 00:03:26,200 And that will result in returns of all this different kind of instructions and commands. 47 00:03:26,260 --> 00:03:26,500 All right. 48 00:03:26,500 --> 00:03:27,450 So Onomichi. 49 00:03:27,490 --> 00:03:27,700 All right. 50 00:03:27,730 --> 00:03:28,630 So here's an example. 51 00:03:29,350 --> 00:03:32,380 So in this case where we have a normal XML entity, right? 52 00:03:32,420 --> 00:03:35,820 So we have DOCTYPE Orta, we have the Elliman, all right. 53 00:03:35,830 --> 00:03:37,660 And we have the JS Joe Smith. 54 00:03:37,660 --> 00:03:39,610 And of course this is under the altar. 55 00:03:39,620 --> 00:03:42,610 So you get process over here on the loss roll. 56 00:03:43,090 --> 00:03:46,370 So over here we have the external DTD declaration. 57 00:03:46,420 --> 00:03:46,680 All right. 58 00:03:46,690 --> 00:03:48,380 So we can actually do a definition. 59 00:03:48,880 --> 00:03:49,690 So in this case. 60 00:03:49,720 --> 00:03:50,730 All right, we have the email. 61 00:03:50,950 --> 00:03:53,230 So it is a two from subject and body. 62 00:03:53,620 --> 00:03:59,970 So this is, again, an email, not DTD, that is being sent into the system. 63 00:04:00,340 --> 00:04:02,080 And of course, we have to email. 64 00:04:02,500 --> 00:04:07,690 So you get email two from subject and body and you have all this data. 65 00:04:08,560 --> 00:04:15,520 So an email posterized configured to allow external DTD or entities and we can change the XML snippet 66 00:04:15,520 --> 00:04:16,090 of the following. 67 00:04:16,120 --> 00:04:17,060 So as you can see here. 68 00:04:17,380 --> 00:04:23,570 So what we are entering is Jeff's system and we're using file etek possibility. 69 00:04:23,800 --> 00:04:28,390 So this will Listowel and help us enumerate a list of uses inside the system. 70 00:04:28,540 --> 00:04:36,190 So when you do this inside a system, it will rondi instruction for us and we turn under and semicolon 71 00:04:36,520 --> 00:04:38,050 as a list of users. 72 00:04:38,080 --> 00:04:38,420 All right. 73 00:04:38,830 --> 00:04:45,220 So again, this allow us to run certain system commands, instructions or a reverse shell and so many 74 00:04:45,220 --> 00:04:49,060 different options for us to actually launch the attack from an XML.