search

XXE Testing [Initial access]

We know that XML data is shared when we place an order. We will be exploiting this.

hashtag
Introduction to XXE

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

triangle-exclamation

Add this to the Cheat sheet and delete it after that.

LogoPayloadsAllTheThings/XXE Injection/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right
Help for XXE

Modify the request in the burp suite repeater. to test this XXE vulnerability.

We can see that after adding the payload. We got the same output that we were getting before. We didn't get any error. This means our payload is correct or XXE didn't work.

So, Let's test this in another way.

LogoWebhook.site - Test, transform and automate Web requests and emailswebhook.sitechevron-right

To the above site, I will make a request and if it is interectped then this means that this is vulnerable to XXE. Update the response with below data.

We got a warming message in response.

Despite the warming message, we can see that one request has been captured in webhook. Thus proving that it is vulnerable to XXE.

hashtag
RCE [Not worked]

LogoFrom XXE to RCE with PHP/expect — The Missing LinkMediumchevron-right
Way to craft XXE for RCE

Original payload:

So, We need to make reverse shell code in PHP and then host a server. I have done it.

Making payload accounting to our scenario.

Not worked!!

hashtag
Trying to set XXE value on the item field [Worked]

When I set my XXE payload on the item field and ran the command it showed output.

hashtag
Collecting SSH key

On the website, I discovered a username: Daniel. The Nmap results confirm that the SSH port is open. I will retrieve Daniel's SSH key.

I will store this SSH key in a file.

Make a curl command from the burp suite. Right-click on the response tab and click on "Copy as curl command".

I will be using the sed command with the "-n" option to capture all lines between the presented pattern.

Set permission on the SSH key and connect to Daniel's user.

PreviousLooking at codeNextPrivilege escalation [Worked]

Last updated