My Pentest Log -5- (XXE with Excel)
Greetings Everyone from Sancta Sophia,
In this article, I would like to inform you about a finding I encountered during the web pentest.
Throughout the test, the target will be specified as private.com.
1. After the necessary planning was made by our project manager, it was stated that I would test the private.com application.
2. As always, I first reviewed and verified the scope form (I write this every time I write, because if you start the test without reviewing the scope form, you may have tested a wrong address at the end of the day, which is a waste of time and can cause problems for the customer.)
3. After verifying the scope, I started the pentest stages on the target. I detected various vulnerabilities, but the one that motivated me the most was the vulnerability I found on the file upload area.
4. There was a file upload area on the target application, but the file upload area on the application allowed only excel file to be uploaded instead of generally known files such as pdf, jpg or png.
5. What was the advantage of this for us security guards? We can say that most of the office files allow to create more attack surfaces than other files such as pdf, png for example, creating an attack surface from a jpg or pdf is more troublesome than office files because the decompile process is tiring.
6. As I mentioned on the target, it allowed to upload files in excel format, I’m sure many people would try to use “xxe, xss or out-of-band” techniques at this point, but instead of doing this, first of all, we should investigate:
Does the application parsing the file we uploaded? because if the application does not interpret the uploaded files and stores them directly, it is not possible to have many attack vectors that I mentioned above.
7. To analyze this question correctly, I created a simple excel file and tried to upload the file without trying any attack vectors because sometimes the file upload fields can’t work.
8. I observed that the excel file I created was uploaded successfully (step 1 is ok — file upload area is working)
9. From this point on, I planned to try a simple xxe attack to find out if the application is interpreting or not interpreting files uploaded by users.
Let’s play with excel a little bit:
10. First we need to decompile the excel file:
(Our purpose here is to investigate the question of whether out-of-band attack is possible or not?)
“unzip test.xlsx” , we parse our excel file with this command, after this process we can see various xml files.
You can test attack surfaces from any of these files, but the file “xl/workbook.xml” is the most used because it is the first file that is investigated in the parsing process. (For more details, you can visit: https://docs.microsoft.com/en-us/office/open-xml/structure-of-a-spreadsheetml-document.)
After decompile the test.xlsx file, we need to open the “xl/workbook.xml” file with any editor. At this point, we will integrate our xxe load that we created.
After viewing the “xl/workbook.xml” file on nano, we integrate our xxe load that we created on the 2nd line.
We are recrating the excel file we parsed with the * zip -r ../test.xlsx * command.
Now our file is ready.
11. From this point on, I tried to load the file that I had created on the application, and then returned to the burp collaborator and checked if any requests were fulfilled.
12. After waiting about 30–40 seconds, I realized that a few HTTP requests were made :)
13. Afterwards, I took the current situation further and tried data extraction.
Be sure to explore the file upload areas on the application and do a little research on the file type expected from the user and try to use it for out-of-band attacks, so you can both discover new things and surprise your customers.