XXE Vulnerability about dvws HOT 6 CLOSED

Hey offsecguy, is the dvws setup on Linux or Windows?

It should work on Linux. All the payloads you used are technically correct but it needs to be slightly modified to be interpreted by the simplexml_load_string parser. The entire XXE payload needs to be in the name parameter for the XXE to be processed. I admit that this is because the simplexml_load_string's function is to take all XML value given within a parameter and convert it to string. I will defo do a rewrite with more realistic parser in the coming month.

---------------------------Example payloads (works on linux)--------------------------------------------
EDIT: Github not showing html tag here are some examples on pastebin

http://pastebin.com/zqpVZ3mA

references: http://php.net/manual/en/function.simplexml-load-string.php

from dvws.

Hey thanks for responding.

Yes I had tried on Kali Linux rolling version, and to make sure latest
debain is not blocking or preventing attack I tried on beebox old
vulnerable Ubuntu box too.

I will try entire XML inside name parameter as you suggested and let you
know.

Any particular reason to send parameter value as text and forward it to XML
parser? Can't we send data as XML ?
On 15-Feb-2016 23:13, "snoopythesecuritydog" [email protected]
wrote:

Hey offsecguy, is the dvws setup on Linux or Windows?

It should work on Linux. All the payloads you used are technically correct
but it needs to be slightly modified to be interpreted by the
simplexml_load_string parser. The entire XXE payload needs to be in the
name parameter for the XXE to be processed. I admit that this is because
the simplexml_load_string's function is to take all XML value given within
a parameter and convert it to string. I will defo do a rewrite with more
realistic parser in the coming month.

---------------------------Example payloads (works on
linux)--------------------------------------------

name=

]>

&xxe;

name=]>&xxe;

references: http://php.net/manual/en/function.simplexml-load-string.php

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

from dvws.

It was a mistake on my part e.g. the way I implemented it. Most real scenarios I've seen takes the entire request to be processed. Cheers for pointing this out. Will do an update soon. :)

from dvws.

added xxe2. This one is a bit better and works as intended.

from dvws.

Perfect, works great :)

Hope in future you will add other vulnerabilities as you have listed in your to-do list. Please let me know if i could contribute in any way, i am not very good in development, however i can take some task which may be time consuming and repetitive for you.

from dvws.

Ok will do, thanks

from dvws.