1
00:00:00,120 --> 00:00:07,310
Number four on the 0 lost top 10 list is what are called X AML external entities.

2
00:00:07,360 --> 00:00:11,250
Now this is also known as an x x e attack.

3
00:00:11,760 --> 00:00:13,890
So what is x x.

4
00:00:14,400 --> 00:00:21,450
Well execs he abuses systems or attack systems that pass x amount input.

5
00:00:21,960 --> 00:00:27,420
So where you're going to see here in our example in the next video is that we're going to take x AML

6
00:00:27,690 --> 00:00:29,760
input and get malicious with it.

7
00:00:29,790 --> 00:00:36,630
We're going to upload it into a upload file a feature and it's going to try to pass that x amount input

8
00:00:36,990 --> 00:00:42,360
and then we're gonna be able to do malicious code with that x amount input and get some information

9
00:00:42,360 --> 00:00:48,600
out of the system that we're attacking and this will all make sense here in just a minute because of

10
00:00:48,600 --> 00:00:54,060
this we're going to be abusing what's called a system and to see when we talk about X AML here in a

11
00:00:54,060 --> 00:00:58,140
minute you'll see what that means and how we can get malicious with it.

12
00:00:58,160 --> 00:01:03,650
And lastly the attacks that we can do include denial service local file disclosure which is what we're

13
00:01:03,650 --> 00:01:04,640
gonna be doing.

14
00:01:04,640 --> 00:01:09,220
Remote code execution and much more.

15
00:01:09,240 --> 00:01:09,590
All right.

16
00:01:09,620 --> 00:01:17,310
So let's say that I want to write out this X AML document and I just kind of want to cover the basics

17
00:01:17,340 --> 00:01:23,640
of X and mail first so that you can understand why this attack is going to work and what we're doing

18
00:01:23,640 --> 00:01:25,000
with it exactly.

19
00:01:25,020 --> 00:01:30,980
So let's start by writing this out up at the top I'm just going to type this out here the X and meld

20
00:01:31,000 --> 00:01:35,350
version and what this is is what's called our metadata.

21
00:01:35,370 --> 00:01:40,260
Now you don't always need this but I always like to include it at the top.

22
00:01:40,260 --> 00:01:44,940
So if you go ahead and just follow along and if you need to pause at any time while I'm typing this

23
00:01:44,940 --> 00:01:46,470
out please feel free.

24
00:01:46,470 --> 00:01:49,410
I am going to try to talk slow in type fast.

25
00:01:49,410 --> 00:01:55,290
That way you can follow along and have opportunities to catch up so at the very top.

26
00:01:55,290 --> 00:02:01,140
We've declared that this is an Excel document and what we're gonna do with that is we're just putting

27
00:02:01,140 --> 00:02:07,020
this this header here we're saying hey the versions 1.0 here's our encoding and then we're going to

28
00:02:07,020 --> 00:02:10,920
need to declare what is called a root element.

29
00:02:10,920 --> 00:02:12,160
So we have elements.

30
00:02:12,180 --> 00:02:12,640
OK.

31
00:02:12,660 --> 00:02:17,310
And so we're just going to say gift in this situation we're giving out a gift.

32
00:02:17,340 --> 00:02:18,410
OK.

33
00:02:18,420 --> 00:02:22,890
So here is our root element and I'm going to do just like this.

34
00:02:22,890 --> 00:02:27,560
And if you've ever used H Tim Al before all you gotta do is close off your tags here.

35
00:02:27,560 --> 00:02:31,040
So you've got this gift and then we're gonna say slash gift to end this element.

36
00:02:31,800 --> 00:02:38,550
So up here we're gonna go ahead and just hit a tab and let's say that we're giving out a gift and to

37
00:02:38,550 --> 00:02:39,390
give out that gift.

38
00:02:39,390 --> 00:02:45,900
We're going to need to say Hey we're gonna do two and I'm doing this gift idea because if you see the

39
00:02:45,900 --> 00:02:52,020
top it is December 21st it's almost 1:00 a.m. here so it's really close to Christmas or whatever holiday

40
00:02:52,020 --> 00:02:52,940
that you celebrate.

41
00:02:53,460 --> 00:02:55,540
So I thought this would be a good idea.

42
00:02:55,650 --> 00:02:58,190
So we're going to give this gift to our buddy Frank.

43
00:02:58,190 --> 00:03:03,210
We we did him dirty in the 80 section we owned his account he had bad passwords.

44
00:03:03,210 --> 00:03:06,080
Let's give him something nice to say thank you.

45
00:03:06,450 --> 00:03:13,860
And we're going to say from you go ahead put your name in here close off from and then we're gonna go

46
00:03:13,860 --> 00:03:20,220
ahead and just give him an item so that I don't I'm going to give him is Pokemon cards because who doesn't

47
00:03:20,220 --> 00:03:21,850
love Pokemon cards right.

48
00:03:22,620 --> 00:03:28,200
So we have the gift which is our root element.

49
00:03:28,200 --> 00:03:32,120
These are what is called our children elements.

50
00:03:32,630 --> 00:03:32,930
OK.

51
00:03:32,940 --> 00:03:41,880
So remember that we have root and children now let's say we're in a situation where I've got a lot of

52
00:03:41,880 --> 00:03:46,770
gifts I want to give and I don't want to have to type this over and over and over again.

53
00:03:47,580 --> 00:03:53,730
Well then we can use something that's called an entity which is basically like it's like a variable.

54
00:03:53,730 --> 00:03:56,860
So let's go ahead and take a look at that entity.

55
00:03:56,940 --> 00:04:01,110
So to add an entity we're going to say something like this.

56
00:04:01,410 --> 00:04:08,580
We're going to declare a dog type up here and we're just going to call a gift and we're going to say

57
00:04:10,560 --> 00:04:14,470
entity from heat.

58
00:04:16,580 --> 00:04:18,170
And this will make sense in just a second.

59
00:04:18,170 --> 00:04:20,780
So go ahead and copy that out.

60
00:04:20,810 --> 00:04:28,310
So what I'm going to do here is I'm saying hey I have an entity and I want to call that and when I call

61
00:04:28,310 --> 00:04:33,380
that I want to go ahead and place he there.

62
00:04:33,380 --> 00:04:37,820
So again like a variable right wherever we call the variable that is just going to place there.

63
00:04:37,820 --> 00:04:44,790
So we're gonna say from like this OK.

64
00:04:45,030 --> 00:04:52,730
So we have Ampersand from and then semicolon in that calls it now why is this.

65
00:04:52,730 --> 00:04:55,760
Also interesting what what is this doing for us.

66
00:04:56,270 --> 00:04:59,710
So a couple things here to point out this.

67
00:04:59,810 --> 00:05:07,340
What we have here this dock type is what is called a document type definition that is a d t d you will

68
00:05:07,340 --> 00:05:09,380
hear that again d d.

69
00:05:09,590 --> 00:05:13,330
So we are declaring this entity within the DVD here.

70
00:05:13,490 --> 00:05:16,640
Now we have a lot of gifts to give away.

71
00:05:16,640 --> 00:05:19,470
We can use from repeatedly right.

72
00:05:19,490 --> 00:05:21,280
Well let's say we're in a situation.

73
00:05:21,290 --> 00:05:24,980
I'm just going to add some spaces in here where we don't have from.

74
00:05:25,070 --> 00:05:32,240
But instead we just had something like Heath and maybe there was you know another person like Amber

75
00:05:32,840 --> 00:05:36,860
that I wanted you know that the gift was from multiple people multiple people.

76
00:05:36,870 --> 00:05:37,120
Right.

77
00:05:37,130 --> 00:05:41,650
So I could say Heath plus Amber Heath and Amber Keith slash Amber.

78
00:05:42,020 --> 00:05:48,540
Well the thing here is if we had just that in here that's not going to work out for us.

79
00:05:48,560 --> 00:05:52,760
These characters are a lot of these are just forbidden characters.

80
00:05:52,850 --> 00:05:59,060
So we can put in you know alphanumeric but when it comes to these special characters it kind of gets

81
00:05:59,060 --> 00:05:59,850
funky.

82
00:05:59,870 --> 00:06:05,890
And imagine if we wanted a special character like I don't know a greater than symbol or less than symbol.

83
00:06:05,930 --> 00:06:09,320
What's that going to do to our code that's going to mess things up.

84
00:06:09,320 --> 00:06:14,990
So what we can do is we can use these entities to call things down.

85
00:06:15,080 --> 00:06:21,470
So if I put in here and I said Heath and Amber guess what.

86
00:06:21,530 --> 00:06:26,050
That would actually bring down as long as I declared it here and I said from.

87
00:06:26,360 --> 00:06:34,080
So not only does it work as a variable but it allows us to include other items write special characters.

88
00:06:34,080 --> 00:06:37,750
And if you're mind spinning you've got that attack thought process.

89
00:06:37,880 --> 00:06:38,930
What does that mean.

90
00:06:39,980 --> 00:06:47,150
Well that means that we can add things in like I don't know forward slashes maybe try to grab a file

91
00:06:47,480 --> 00:06:56,990
maybe a colon in there to something I know something along the lines of like C slash maybe try to give

92
00:06:56,990 --> 00:06:57,550
a file out.

93
00:06:57,560 --> 00:06:57,860
Right.

94
00:06:58,460 --> 00:07:00,540
So let's take a look at something here.

95
00:07:00,560 --> 00:07:07,240
I'm going to show you a payload so let's go out to Google and I'm just gonna say Google and then I'm

96
00:07:07,240 --> 00:07:10,130
going to say x x e payloads.

97
00:07:10,180 --> 00:07:12,790
Now I do this with a lot of stuff by the way.

98
00:07:12,880 --> 00:07:15,760
You're going to see me do this over and over.

99
00:07:15,760 --> 00:07:20,660
I love to just go look up payloads because there's so many things out there and I can't remember everything.

100
00:07:20,710 --> 00:07:26,500
So I open up a couple of these let's look at the payloads all the things here and just kind of scroll

101
00:07:26,500 --> 00:07:27,500
through it.

102
00:07:27,760 --> 00:07:33,400
And what I'm looking for is the classic X XY that's what we're after here.

103
00:07:33,460 --> 00:07:40,900
So the file system that we're attacking is either going to be Linux or it's going to be windows we are

104
00:07:40,900 --> 00:07:42,550
after a Linux system.

105
00:07:42,580 --> 00:07:43,060
Why.

106
00:07:43,060 --> 00:07:46,030
Because we're running on Docker right.

107
00:07:46,090 --> 00:07:47,610
Are on our lending system.

108
00:07:47,620 --> 00:07:53,750
So we're gonna run in Docker on our clinic system and we're going to attack the Etsy password.

109
00:07:53,800 --> 00:08:03,120
So what we're gonna do here is worse is copy this one down and I'm going to copy this one and actually

110
00:08:03,120 --> 00:08:03,870
let's copy.

111
00:08:03,900 --> 00:08:06,340
Let's copy the second one this looks more like what we did before.

112
00:08:06,340 --> 00:08:12,120
Let's copy the second one and I'm just going to delete all this out of here and I'm in a paste as it

113
00:08:13,800 --> 00:08:15,150
so this looks familiar.

114
00:08:15,240 --> 00:08:15,780
Right.

115
00:08:15,810 --> 00:08:17,590
Exactly what we just did.

116
00:08:17,730 --> 00:08:27,320
We have our doc type and we declare an element inside the DTV OK and then we also have an entity X XY

117
00:08:28,220 --> 00:08:30,870
and we're calling out the system here.

118
00:08:30,920 --> 00:08:39,360
So before we were declaring We were just you know saying hey it's Heath entity from Heath.

119
00:08:39,360 --> 00:08:46,910
Right well here we're adding a little bit extra we're saying system and system is a key word use in

120
00:08:46,910 --> 00:08:54,610
an entity to let the parser know that the resource is external and should be stored inside the entity.

121
00:08:54,620 --> 00:08:54,970
OK.

122
00:08:54,980 --> 00:09:00,140
So this allows us to put this kind of content here maliciously into it.

123
00:09:00,170 --> 00:09:02,710
What also does system do.

124
00:09:02,960 --> 00:09:07,040
Well it allows us to pull data from the system.

125
00:09:07,040 --> 00:09:13,670
So what we're trying to do is we're saying hey entity x x e system and then go ahead and pull the Etsy

126
00:09:13,670 --> 00:09:23,230
password file let's try that and then so when we have here we have our child and we call out foo or

127
00:09:23,260 --> 00:09:25,190
element that we call out foo.

128
00:09:25,480 --> 00:09:32,320
Then we're going to say hey I want you to go ahead and put in here the X XY which is going to just be

129
00:09:32,320 --> 00:09:36,780
a place holder for a system file Etsy password now.

130
00:09:37,240 --> 00:09:39,870
Hopefully that all makes sense in the next video.

131
00:09:39,910 --> 00:09:42,030
We're gonna go ahead and take this.

132
00:09:42,100 --> 00:09:48,190
We're going to get malicious with this and actually attack the upload and see how this pulls down for

133
00:09:48,190 --> 00:09:48,750
us.

134
00:09:48,790 --> 00:09:53,010
So let's go ahead and move onto the next video where we actually exploit exactly.