11.9 Lab: Exploiting XXE to retrieve data by repurposing a local DTD
This lab has a stock check feature that fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed an anti-SSRF defense you will need to bypass | Karthikeyan Nagaraj
Description
This lab has a “Check stock” feature that parses XML input but does not display the result.
To solve the lab, trigger an error message containing the contents of the /etc/passwd
file.
You’ll need to reference an existing DTD file on the server and redefine an entity from it.
Hint
Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd
containing an entity called ISOamso.
Solution
- Visit a product page, click “Check stock”, and intercept the resulting POST request in Burp Suite.
- Insert the following parameter entity definition in between the XML declaration and the
stockCheck
element:
This will import the Yelp DTD, and then redefine the ISOamso
entity, triggering an error message containing the contents of the /etc/passwd
file.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Github for Resources:
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng