Web Attacks - Advanced File Disclosures

HTB Content
1

Hey I was wondering if and one has had problems with this part of the module? I’ve got the error-based method to work but the CDATA isn’t working. When I try to point the file at “file:///var/www/html/error” I get a message that say it has 8192 bytes with an errno=21. When I use the CDATA method nothing happens at all.

Screen Shot 2022-09-05 at 10.12.41 PM
Screen Shot 2022-09-05 at 10.12.41 PM1564×158 81.8 KB

Screen Shot 2022-09-05 at 10.18.57 PM
Screen Shot 2022-09-05 at 10.18.57 PM1106×632 79.1 KB

2

It is php server, your file can’t end with nothing. There has to be filename.php
Have you got a flag? Seems, I’ve stucked :slight_smile:
I’ve downloaded all php files except flag.php
Tried both methods, CDATA doesn’t work. My server answers on request with dtd file, but nothing happens. Seems, there is filter for files. Any hints please?

1 Like
3

One of them work if CDATA isn’t working try error and really pay attention to the steps and details.

1 Like
4

@QuickFix914 - I ve finally solved this using CDATA itself… It worked for me after few attempts… One hint would be the flag.php is located in / directory only. So, modify ur XXE payload accordingly and I ve got the flag in my response. DM if you are stuck.

5

CDATA and pay attention to the path for the flag… Hint: /

2 Likes
6

Thanks I was struggling with this as well and nothing seemed to work until …DOOOUGH

/flag.php details matters.

Cheers

7

Don’t know why but CDATA did not work for me as well.
Eventually I got the flag by using the old base64 encoding method.
There are filters in submitDetails.php catching some keywords, but it only works for the POST payload.
Putting the <!ENTITY company SYSTEM xxxxxx> definition in the remote xxe.dtd file can bypass all filters.
Don’t think this is the expected way, though.

8

in content file:///var/www/html/submitDetails.php path seems invalid. however, retrieving the flag works…

9
  • understand the

submitDetails.php

source code properly. There’s a logic flaw,

  • Try changing the file name on a valid dir with valid and invalid filename and notice the changes,
  • And i’m sure that CDATA will work.
    Good Luck
10

Hi,
I can’t get any further here either, at some point I looked for solutions and found something about this, unfortunately that didn’t work either, it must be something with the web server.