Exploiting XXE using external entities to retrieve files

Description

This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.

To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file.

Approach

After accessing the lab, I activated the Firefox FoxyProxy extension to proxy my web requests through Burp Suite. I began navigating the website, searching for requests that sent XML data to the backend. One request immediately caught my attention:

POST /product/stock HTTP/2
Host: 0a1600e604adacf38168d960002a0046.web-security-academy.net
Cookie: session=OKpqtvFe3lUQf1hlWYlyzg8NFNq1Vatb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 ...

<?xml version="1.0" encoding="UTF-8"?>
	<stockCheck>
		<productId>1</productId>
		<storeId>1</storeId>
	</stockCheck>

I forwarded this request to Repeater for further examination. Next, I created a new external entity containing the content of the /etc/passwd file. By injecting this entity into the value of either the productId or storeId fields, I successfully retrieved the contents of the /etc/passwd file.

By exploiting this XXE vulnerability, I was able to solve the lab.

PreviousXXE Injection NextExploiting XXE to perform SSRF attacks

Last updated 1 year ago