bersecurity11.6 Lab: Exploiting blind XXE to retrieve data via error messages | 2024
2024-3-4 13:23:9 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏

This lab has a “Check stock” feature that parses XML input but does not display the result. To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file. The lab contains a link to an exploit server on a different domain where you can host your malicious DTD | Karthikeyan Nagaraj

Karthikeyan Nagaraj

InfoSec Write-ups

This lab has a “Check stock” feature that parses XML input but does not display the result.

To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file.

The lab contains a link to an exploit server on a different domain where you can host your malicious DTD.

  1. Go to the Exploit server, change the name of file to /exploit.dtd, and paste the below code in body.

2. Now, Click a product, Click Check stock, Capture the request, and send it to the repeater.

3. Go to the exploit server, copy the file URL, and paste it in the below Code.

4. Insert the following external entity definition in between the XML declaration and the stockCheck element. Replace the file URL below:

5. The Lab will be solved once you get the /etc/passwd Contents


文章来源: https://infosecwriteups.com/bersecurity11-6-lab-exploiting-blind-xxe-to-retrieve-data-via-error-messages-2024-4b7f1340195a?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh