■ ■ ■ ■ ■ ■
CyberSecurity/Web/BountyStory/XXE/20230315 - Exploiting Out-of-Band XXE in the Wild from P4 to P1.md
| 1 | + | # Exploiting Out-of-Band XXE in the Wild from P4 to P1 🏆 |
| 2 | + | <br> |
| 3 | + | |
| 4 | + | ### Phase 1 --> Recon 🧐 |
| 5 | + | 1. Collected list of IP from shodan<br> |
| 6 | + | 2. Made full port scan with rustscan<br> |
| 7 | + | 3. Came across IP with port 9180use some XML content<br> |
| 8 | + | 4. I decided to test XXE<br> |
| 9 | + | <br> |
| 10 | + | |
| 11 | + | ### Phase 2 --> Analysis 🧩 |
| 12 | + | 1. I tried to retrieve local files, but i got nothing<br> |
| 13 | + | 2. I used XXE payloads and started to compare with the responses differences, but I got nothing again.<br> |
| 14 | + | ![20230315-1.png](../images/20230315-1.png)<br> |
| 15 | + | <br> |
| 16 | + | |
| 17 | + | ### Phase 3 --> SSRF (P4) 🍳 |
| 18 | + | 1. I tried to perform an HTTP request to my burp collab.<br> |
| 19 | + | 2. So I tried several payloads until finally one of them worked.<br> |
| 20 | + | 3. Bingoooooo! now I have P4 submission.<br> |
| 21 | + | ![20230315-2.png](../images/20230315-2.png)<br> |
| 22 | + | <br> |
| 23 | + | |
| 24 | + | ### Phase 4 --> Port Scan (P3) 🍟 |
| 25 | + | 1. I thought what about escalating it to P3 with a simple port scanning?<br> |
| 26 | + | 2. So I sent a simple request to 9180 and another to 1234 and compare the two responses<br> |
| 27 | + | 3. So I made a simple port scan for top 10000 ports, and I got some open ports :)<br> |
| 28 | + | ![20230315-3.png](../images/20230315-3.png)<br> |
| 29 | + | <br> |
| 30 | + | |
| 31 | + | ### Phase 5 --> Limited OOB XXE (P2) 🍔 |
| 32 | + | 1. I thought it’s time to test Out-of-band XXE (picture)<br> |
| 33 | + | 2. So we need a malicious DTD file that requests local files<br> |
| 34 | + | 3. Our malicious DTD requests /etc/hostname file and send it to my IP on 1337 port<br> |
| 35 | + | 4. And guess what?I got the result.<br> |
| 36 | + | ![20230315-4.png](../images/20230315-4.png)<br> |
| 37 | + | ![20230315-5.png](../images/20230315-5.png)<br> |
| 38 | + | |
| 39 | + | |
| 40 | + | ### Phase 6 --> final XXE (P1) 🏅 |
| 41 | + | 1. I made the OOB XXE exploitation successfully!! But actually, I couldn’t get any file with multiple lines<br> |
| 42 | + | 2. I tried several techniques such as base64, FTP, ... but i failed in all of them.<br> |
| 43 | + | 3. Finally I was able to do this with error messages<br> |
| 44 | + | ![20230315-6.png](../images/20230315-6.png)<br> |
| 45 | + | |
| 46 | + | |
| 47 | + | ## Credit |
| 48 | + | Based on [Mahmoud Youssef](https://0xmahmoudjo0.medium.com/exploiting-out-of-band-xxe-in-the-wild-16fc6dad9ee2)'s writeup. |
| 49 | + | <br> |
| 50 | + | |
| 51 | + | ## Support |
| 52 | + | You can Follow [me](https://twitter.com/MeAsHacker_HNA) on twitter or |
| 53 | + | <br><br><a href="https://www.buymeacoffee.com/NafisiAslH" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a> |
| 54 | + | |