User Controls

Navigation

Niggas in Space > Technophiliacs & Technophiles > A question on Ruby, plus thoughts and tools for exploiting XXE in OXML documents.

A question on Ruby, plus thoughts and tools for exploiting XXE in OXML documents.

  1. 2015-11-15 at 12:14 AM UTC
    #1
    Sophie Pedophile Tech Support
    [FONT=arial]So i was just reading about this type of webapp technique called XML External Entity attack, it's XML injection not unlike reflective XSS. The purpose of such an attack would be to disclose information the server that would otherwise be protected. A nice code example i found illustrates the basic principle.[/FONT]

      
     [FONT=arial]<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [      <!ENTITY xxeattack SYSTEM "file:///etc/passwd">  ]> <xxx>&xxeattack;</xxx> [/FONT]
    [FONT=arial]

    As i understand it when this gets parsed and returned in the XML document the contents of "file:///etc/passwd" should be revealed as well. Now with regards to OXML documents, an OXML document is a zip file containing XML files and any media files. When the document is rendered, the rendering library unzips the document and then parses the containing XML files.

    When you embed a XXE exploit within an OXML document such a a word docx file you can use this to exploit a websites upload functionality to disclose valuable information, if you are able to retrieve it. Now it so hapens there is a tool for this that generates the XXE exploit for you and embeds it in a document of your choice, PDF Word document you name it. Here is the tool for doing so.[/FONT]

    https://github.com/BuffaloWill/oxml_xxe

    [FONT=arial]It's written in ruby which leads me to my question, it has some dependencies, namely highline and zipruby. I got highline by downloading it with ruby. 
     gem install highline
    Which worked, however when i tried to do the same for zipruby i got the following error message and i am not sure as how to proceed and would like to ask you how i would go about fixing this. Here's the error message.[/FONT]


    [FONT=arial] 

    $ gem install zipruby
    Temporarily enhancing PATH to include DevKit...
    Building native extensions.  This could take a while...
    ERROR:  Error installing zipruby:
            ERROR: Failed to build gem native extension.

            C:/PentestBox/bin/Ruby193/bin/ruby.exe extconf.rb
    checking for zlib.h... *** extconf.rb failed ***
    Could not create Makefile due to some reason, probably lack of
    necessary libraries and/or headers.  Check the mkmf.log file for more
    details.  You may need configuration options.

    Provided configuration options:
            --with-opt-dir
            --without-opt-dir
            --with-opt-include
            --without-opt-include=${opt-dir}/include
            --with-opt-lib
            --without-opt-lib=${opt-dir}/lib
            --with-make-prog
            --without-make-prog
            --srcdir=.
            --curdir
            --ruby=C:/PentestBox/bin/Ruby193/bin/ruby
    C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:381:in `try_do': The compiler failed to generate an executable file. (RuntimeError)
    You have to install development tools first.
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:506:in `try_cpp'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:931:in `block in have_header'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:790:in `block in checking_for'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:284:in `block (2 levels) in postpone'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:254:in `open'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:284:in `block in postpone'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:254:in `open'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:280:in `postpone'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:789:in `checking_for'
            from C:/PentestBox/bin/Ruby193/lib/ruby/1.9.1/mkmf.rb:930:in `have_header'
            from extconf.rb:3:in `<main>'


    Gem files will remain installed in C:/PentestBox/bin/Ruby193/lib/ruby/gems/1.9.1/gems/zipruby-0.3.6 for inspection.
    Results logged to C:/PentestBox/bin/Ruby193/lib/ruby/gems/1.9.1/gems/zipruby-0.3.6/ext/gem_make.out


    Also if you're interested in XXE and XML injection here is the article i was reading earlier it's pretty interesting and really goes indepth on the principles behind this technique.[/FONT]


    http://web-in-security.blogspot.co.uk/2014/11/detecting-and-exploiting-xxe-in-saml.html

    [FONT=arial]Thanks guys.[/FONT]
  2. 2015-11-16 at 12:15 AM UTC
    #2
    aldra JIDF Controlled Opposition
    sorry, meant to reply to this the other day

    I've tried similar with XML parsers - I end up having to work with them a bit, haven't had any luck except crashing with lulzy malformed files. will give this a try though.


    as for ruby I haven't used it at all, but that particular error refers to a .h file, which is generally a C header, so you're likely having issues building the ruby lib - zlib is a standard lunix compression library. searching for the file zlib.h in debian's repo search (https://packages.debian.org/search?suite=stable&section=all&arch=any&searchon=contents&keywords=zlib.h) says it's part of the libpoco package, which is a standard C++ (gcc) component, so it'd seem you need to install the full dev environment as you're having compile issues.

    you're not on lunix though so you can't just apt-get packages - another search says there's a zlib package for windows you could use, but I'd recommend doing a full gcc install otherwise there will probably be other dependency issues.
  3. 2015-11-16 at 12:52 AM UTC
    #3
    Sophie Pedophile Tech Support
    sorry, meant to reply to this the other day

    I've tried similar with XML parsers - I end up having to work with them a bit, haven't had any luck except crashing with lulzy malformed files. will give this a try though.


    as for ruby I haven't used it at all, but that particular error refers to a .h file, which is generally a C header, so you're likely having issues building the ruby lib - zlib is a standard lunix compression library. searching for the file zlib.h in debian's repo search (https://packages.debian.org/search?suite=stable&section=all&arch=any&searchon=contents&keywords=zlib.h) says it's part of the libpoco package, which is a standard C++ (gcc) component, so it'd seem you need to install the full dev environment as you're having compile issues.

    you're not on lunix though so you can't just apt-get packages - another search says there's a zlib package for windows you could use, but I'd recommend doing a full gcc install otherwise there will probably be other dependency issues.

    I take it you mean the full ruby dev environment? Thanks for your reply and let me know if you have any success with the tool i linked to.
  4. 2015-11-16 at 1:13 AM UTC
    #4
    aldra JIDF Controlled Opposition
    nah, it's referring to headers and makefiles, I suspect it's doing some C/++ compilation to build the extension
  5. 2015-11-16 at 2:32 AM UTC
    #5
    Sophie Pedophile Tech Support
    nah, it's referring to headers and makefiles, I suspect it's doing some C/++ compilation to build the extension

    Oh i see, well i'll try to get it sorted out.
  6. 2015-12-16 at 12:24 PM UTC
    #6
    Sophie Pedophile Tech Support
    When i get internet on my main pc again i will be doing a full gcc install, also in the mean time have you had the chance to test this tool?

    I am really curious as to it's effectiveness and general functionality.
Jump to Top