XXE Injections
Abusing XML Parsers
Table of Contents
Classless Inter-Domain Routing (CIDR)
Classless Addressing is an improved IP Addressing system. It makes the allocation of IP Addresses more efficient by allowing us to describe specific network configurations.
Notation
| IP ADDR RANGE | NUMBER OF ADDRESSES |
|---|---|
| X.X.X.X/8 | 232 - 24 = 224 = 16,777,216 |
| X.X.X.X/12 | 232 - 12 = 220 = 1,048,576 |
| X.X.X.X/16 | 232 - 16 = 216 = 65,536 |
| X.X.X.X/20 | 232 - 20 = 212 = 4,096 |
| X.X.X.X/24 | 232 - 24 = 28 = 256 |
| X.X.X.X/28 | 232 - 28 = 24 = 16 |
| X.X.X.X/Y | 2(32 - Y) addresses where 1 <= X <=255 and 1 <= Y <= 32 |
It’s important to keep in mind that we don’t have to use even number on the CIDR address.
| IP ADDR RANGE | NUMBER OF ADDRESSES |
|---|---|
| X.X.X.X/29 | 232 - 29 = 23 = 8 |
There are some special cases.
The use of /31 networks is a special case defined by RFC 3021 where the two IP addresses in the subnet are usable for point-to-point links to conserve IPv4 address space. Not all operating systems support RFC 3021, so use it with caution.
The Internet
In laymans terms, the use case for a /31 is for a link network that is used to connect two routers to each other.
All of that is good and well but how do we model networks quickly?
The script I use to convert networks in CIDR notation to ip’s and subnet ranges is here.
Modeling Networks
./Convert-CIDRInfo.ps1 -NetworkAddress '172.16.0.0/12'
Output:
IP : 172.16.0.0
NetworkLength : 12
SubnetMask : 255.240.0.0
NetworkAddress : 172.16.0.0
HostMin : 172.16.0.1
HostMax : 172.31.255.254
Broadcast : 172.31.255.255
UsableHosts : 1048574
TotalHosts : 1048576
GatewaysEnumerated : {}
IPEnumerated : {}
BinaryIP : 10101100000100000000000000000000
BinarySubnetMask : 11111111111100000000000000000000
BinaryNetworkAddress : 10101100000100000000000000000000
BinaryBroadcast : 10101100000111111111111111111111
Enumerating Gateways
./Convert-CIDRInfo.ps1 -NetworkAddress '172.16.0.0/12' -Gateway
Output:
IP : 172.16.0.0
NetworkLength : 12
SubnetMask : 255.240.0.0
NetworkAddress : 172.16.0.0
HostMin : 172.16.0.1
HostMax : 172.31.255.254
Broadcast : 172.31.255.255
UsableHosts : 1048574
TotalHosts : 1048576
GatewaysEnumerated : {172.16.0.1, 172.16.1.1, 172.16.2.1, 172.16.3.1…}
IPEnumerated : {}
BinaryIP : 10101100000100000000000000000000
BinarySubnetMask : 11111111111100000000000000000000
BinaryNetworkAddress : 10101100000100000000000000000000
BinaryBroadcast : 10101100000111111111111111111111
Enumerating IPs in a Hypothetical subnet
./Convert-CIDRInfo.ps1 -NetworkAddress '172.16.0.0/12' -Enumerate
Output:
IP : 172.16.0.0
NetworkLength : 12
SubnetMask : 255.240.0.0
NetworkAddress : 172.16.0.0
HostMin : 172.16.0.1
HostMax : 172.31.255.254
Broadcast : 172.31.255.255
UsableHosts : 1048574
TotalHosts : 1048576
GatewaysEnumerated : {}
IPEnumerated : {172.16.0.1, 172.16.0.2, 172.16.0.3, 172.16.0.4…}
BinaryIP : 10101100000100000000000000000000
BinarySubnetMask : 11111111111100000000000000000000
BinaryNetworkAddress : 10101100000100000000000000000000
BinaryBroadcast : 10101100000111111111111111111111