crash.software
Projects
Pull Requests
Issues
Builds
NafisiAslH-KnowledgeSharing
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY NafisiAslH-KnowledgeSharing Commits 119656d7
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    CyberSecurity/Web/BountyStory/XXE/20230315 - Exploiting Out-of-Band XXE in the Wild from P4 to P1.md
     1 +# Exploiting Out-of-Band XXE in the Wild from P4 to P1 🏆
     2 +<br>&nbsp;
     3 + 
     4 +### Phase 1 --> Recon 🧐
     5 +1. Collected list of IP from shodan<br>
     6 +2. Made full port scan with rustscan<br>
     7 +3. Came across IP with port 9180use some XML content<br>
     8 +4. I decided to test XXE<br>
     9 +<br>&nbsp;
     10 + 
     11 +### Phase 2 --> Analysis 🧩
     12 +1. I tried to retrieve local files, but i got nothing<br>
     13 +2. I used XXE payloads and started to compare with the responses differences, but I got nothing again.<br>
     14 +![20230315-1.png](../images/20230315-1.png)<br>
     15 +<br>&nbsp;
     16 + 
     17 +### Phase 3 --> SSRF (P4) 🍳
     18 +1. I tried to perform an HTTP request to my burp collab.<br>
     19 +2. So I tried several payloads until finally one of them worked.<br>
     20 +3. Bingoooooo! now I have P4 submission.<br>
     21 +![20230315-2.png](../images/20230315-2.png)<br>
     22 +<br>&nbsp;
     23 + 
     24 +### Phase 4 --> Port Scan (P3) 🍟
     25 +1. I thought what about escalating it to P3 with a simple port scanning?<br>
     26 +2. So I sent a simple request to 9180 and another to 1234 and compare the two responses<br>
     27 +3. So I made a simple port scan for top 10000 ports, and I got some open ports :)<br>
     28 +![20230315-3.png](../images/20230315-3.png)<br>
     29 +<br>&nbsp;
     30 + 
     31 +### Phase 5 --> Limited OOB XXE (P2) 🍔
     32 +1. I thought it’s time to test Out-of-band XXE (picture)<br>
     33 +2. So we need a malicious DTD file that requests local files<br>
     34 +3. Our malicious DTD requests /etc/hostname file and send it to my IP on 1337 port<br>
     35 +4. And guess what?I got the result.<br>
     36 +![20230315-4.png](../images/20230315-4.png)<br>
     37 +![20230315-5.png](../images/20230315-5.png)<br>
     38 + 
     39 + 
     40 +### Phase 6 --> final XXE (P1) 🏅
     41 +1. I made the OOB XXE exploitation successfully!! But actually, I couldn’t get any file with multiple lines<br>
     42 +2. I tried several techniques such as base64, FTP, ... but i failed in all of them.<br>
     43 +3. Finally I was able to do this with error messages<br>
     44 +![20230315-6.png](../images/20230315-6.png)<br>
     45 + 
     46 + 
     47 +## Credit
     48 +Based on [Mahmoud Youssef](https://0xmahmoudjo0.medium.com/exploiting-out-of-band-xxe-in-the-wild-16fc6dad9ee2)'s writeup.
     49 +<br>&nbsp;
     50 + 
     51 +## Support
     52 +You can Follow [me](https://twitter.com/MeAsHacker_HNA) on twitter or
     53 +<br><br><a href="https://www.buymeacoffee.com/NafisiAslH" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
     54 + 
Please wait...
Page is in error, reload to recover