XXE to SSRF

Apart from getting juicy information, we can even perform SSRF attack. Which is a very serious issue, where the server side application can make HTTP requests to any URL.

Inorder

to do that we'll have to define an external entity, like we did previously but the only difference is we'll have to enter a valid URL to get a pingback

We can test for the internal entity as well, if not then we can define our external

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]>

In the above example, the external entity will make the server to send a HTTP request to an internal system within the organization.

Payload - <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>

Asusual, change the productID to &xxe; to trigger our payload and we see something interesting called latest, assuming thats the endpoint and appending it to the DTD and triggering it again.

We get another endpoint called, meta-data. Continuing the same statergy the url looked something like

http://169.254.169.254/latest/meta-data/iam/security-credentials/admin

This finally returned a JSON context containing the SecretAccessKey

PreviousXXE to LFI NextXXE via File upload

Last updated 1 year ago