Exploitation
What we did so far was just to ping back our Burp Collab from the remote host, but it actually doesn't tell us how to go on and exploit
this vulnerability
.
Every attacker wants to retrieve any sort of interesting information, this can be achieved using this Blind XXE
But this attack is only possible, when the attacker hosts a malicious DTD on a system that they control
And then invoking the external DTD from within the in-band XXE payload.
It defines an XML parameter entity called
file
, which contains/etc/passwd
It again defines another XML parameter called
eval
, containing a dynamic declaration of another entity calledexfiltrate
The
exfiltrate
entity will be evaluated by making an HTTP request to the attacker's web server containing the value of thefile
entity within the URL query stringIt uses the
eval
entity, which invokes theexfiltrate
entity to be performedIt uses the
exfiltrate
entity, so that its value is evaluated by requesting the specified URL
The attacker must then host the malicious DTD
on a system that they control, normally by loading it onto their own webserver
Finally the attacker must modify the request to be something like this,
So we just managed to
exfiltrate
thehostname
using a malicious external DTD
When we try to ping back our Burp collab the usual way, it doesn't work so we'll have to try another way to get it
Luckily, PortSwigger labs provide us with an exploit server where we can craft and store our own payload
When we store this payload, notice the URL -> It gives us our malicious DTD
Now we can exploit it the normal way,
And now when we Poll Back
, we notice there is a DNS and an HTTP Response Checking out the HTTP request gives us a GET method containing the hostname
Note
/etc/passwd
doesn't work because of the newline characters in the file, Some XML parsers fetch the URL in the external entity definition using an API
that validates the characters that are allowed to appear within the URL.
It is best to use
FTP://
instead ofHTTP://
That's why we use files like /etc/hostname
Last updated