Making REXML or Nokogiri vulnerable to XXE

I’m doing security research and I’m trying to create a Ruby script
vulnerable to XXE

I’ve got the following XML which should replace &xxe with the contents
of the passwd file if the script is vulnerable

xml_data = '<?xml version="1.0"?>

<!DOCTYPE demo [ ]> &xxe; '

From what I’ve read it is the libxml2 options that are protecting the
script so with Nokogiri I’ve tried forcing the options down to just
RECOVER but that doesn’t work, I can’t even get basic entity
replacement working.

doc = Nokogiri::XML.parse(xml_data, nil, nil,
Nokogiri::XML::ParseOptions::
RECOVER)
puts doc.inspect
puts doc.xpath(“/a/inject”)

I’ve also tried with REXML, here the basic entity replacement works
but I can’t find how to set the parse options.

doc = REXML::Document.new(xml_data)
doc.elements.each(‘a/inject’) do |ele|
puts ele.text
end

Finally I’ve tried setting up a vulnerable environment with the
versions and code from this example but this returns nothing

What am I doing wrong? If there is a better way to do this then feel
free to suggest it, I’m not tied to any either of these ways just need
a way to practice exploitation of this vulnerability.

On 9 November 2014 08:27, Kouhei S. [email protected] wrote:

<!DOCTYPE demo [ doc.elements.each('a/inject') do |ele| puts ele.text end

REXML doesn’t support expanding SYSTEM entity. So REXML
doesn’t have vulnerability related external content.

Thats useful to know, thanks

Robin

Hi,

In [email protected]
“making REXML or Nokogiri vulnerable to XXE” on Wed, 5 Nov 2014
23:13:32 +0000,
Robin W. [email protected] wrote:

I’ve got the following XML which should replace &xxe with the contents
of the passwd file if the script is vulnerable

xml_data = '<?xml version="1.0"?>

<!DOCTYPE demo [ ]> &xxe; '

I’ve also tried with REXML, here the basic entity replacement works
but I can’t find how to set the parse options.

doc = REXML::Document.new(xml_data)
doc.elements.each(‘a/inject’) do |ele|
puts ele.text
end

REXML doesn’t support expanding SYSTEM entity. So REXML
doesn’t have vulnerability related external content.

Thanks,