From 9ab06bed7d11360bf3b4cb4cfca54723c8a26ba1 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 11 Jul 2025 18:37:22 +0000 Subject: [PATCH] Add content from: Dojo CTF Challenge #42: Hex Color Palette XXE File Disclosur... --- .../reversing-native-libraries.md | 8 +-- .../ios-pentesting-without-jailbreak.md | 2 +- .../sql-injection/ms-access-sql-injection.md | 4 +- .../xxe-xee-xml-external-entity.md | 67 +++++++++++++++++++ 4 files changed, 74 insertions(+), 7 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index 03213da5080..ea060841d8a 100644 --- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -61,7 +61,7 @@ Java.perform(function () { }); }); ``` -Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. citeturn5search2turn5search0 +Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. --- @@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) | Year | CVE | Affected library | Notes | |------|-----|------------------|-------| -|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0| +|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| | |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.| When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant. @@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their ### References -- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) citeturn5search0 -- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0 +- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) +- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 004d7bf0e0e..791da2761f0 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth ### Automated dynamic analysis with MobSF (no jailbreak) -[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: ```bash docker pull opensecurity/mobile-security-framework-mobsf:latest diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md index 913a7a03f98..5b9778a7ad4 100644 --- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md +++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md @@ -141,7 +141,7 @@ Point the UNC path to: * a host that drops the TCP handshake after `SYN-ACK` * a firewall sinkhole -The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0 +The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. ### Other Interesting functions @@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps): * Block outbound SMB/WebDAV at the network boundary. * Sanitize / parameterise any part of a query that may end up inside an `IN` clause. -The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0 +The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. ### .mdb Password Cracker diff --git a/src/pentesting-web/xxe-xee-xml-external-entity.md b/src/pentesting-web/xxe-xee-xml-external-entity.md index 8b39a5e2412..b689b1345ca 100644 --- a/src/pentesting-web/xxe-xee-xml-external-entity.md +++ b/src/pentesting-web/xxe-xee-xml-external-entity.md @@ -1,5 +1,10 @@ # XXE - XEE - XML External Entity +{{#include /banners/hacktricks-training.md}} + +- [Dojo CTF Challenge #42 – Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42) +- [lxml bug #2107279 – Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279) + {{#include ../banners/hacktricks-training.md}} ## XML Basics @@ -773,6 +778,65 @@ Take a look to this amazing report [https://swarm.ptsecurity.com/impossible-xxe- https://github.com/luisfontes19/xxexploiter {{#endref}} +### Python lxml Parameter-Entity XXE (Error-Based File Disclosure) + +> [!INFO] +> The Python library **lxml** uses **libxml2** under the hood. Versions prior to **lxml 5.4.0 / libxml2 2.13.8** still expand *parameter* entities even when `resolve_entities=False`, making them reachable when the application enables `load_dtd=True` and/or `resolve_entities=True`. This allows Error-Based XXE payloads that embed the contents of local files into the parser error message. + +#### 1. Exploiting lxml < 5.4.0 +1. Identify or create a *local* DTD on disk that defines an **undefined** parameter entity (e.g. `%config_hex;`). +2. Craft an internal DTD that: + * Loads the local DTD with ``. + * Redefines the undefined entity so that it: + - Reads the target file (``). + - Builds another parameter entity that refers to an **invalid path** containing the `%flag;` value and triggers a parser error (`">`). +3. Finally expand `%local_dtd;` and `%eval;` so that the parser encounters `%error;`, fails to open `/aaa/` and leaks the flag inside the thrown exception – which is often returned to the user by the application. + +```xml + + + "> + %eval;'> + %local_dtd; +]> +``` +When the application prints the exception the response contains: +``` +Error : failed to load external entity "file:///aaa/FLAG{secret}" +``` + +> [!TIP] +> If the parser complains about `%`/`&` characters inside the internal subset, double-encode them (`&#x25;` ⇒ `%`) to delay expansion. + +#### 2. Bypassing the lxml 5.4.0 hardening (libxml2 still vulnerable) +`lxml` ≥ 5.4.0 forbids *error* parameter entities like the one above, but **libxml2** still allows them to be embedded in a *general* entity. The trick is to: +1. Read the file into a parameter entity `%file`. +2. Declare another parameter entity that builds a **general** entity `c` whose SYSTEM identifier uses a *non-existent protocol* such as `meow://%file;`. +3. Place `&c;` in the XML body. When the parser tries to dereference `meow://…` it fails and reflects the full URI – including the file contents – in the error message. + +```xml + + "> + '> + %a; %b; +]> +&c; +``` + +#### Key takeaways +* **Parameter entities** are still expanded by libxml2 even when `resolve_entities` should block XXE. +* An **invalid URI** or **non-existent file** is enough to concatenate controlled data into the thrown exception. +* The technique works **without outbound connectivity**, making it ideal for strictly egress-filtered environments. + +#### Mitigation guidance +* Upgrade to **lxml ≥ 5.4.0** and ensure the underlying **libxml2** is **≥ 2.13.8**. +* Disable `load_dtd` and/or `resolve_entities` unless absolutely required. +* Avoid returning raw parser errors to the client. + ## References - [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf) @@ -784,4 +848,7 @@ https://github.com/luisfontes19/xxexploiter - [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) - [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7) +- [Dojo CTF Challenge #42 – Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42) +- [lxml bug #2107279 – Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279) + {{#include ../banners/hacktricks-training.md}}