Advanced XXE Exploitation Exercise 2: External DTD (App port 8022) Philippe Arteau GoSecure Countertack 19/06/2019 Slides: http://bit.ly/xxeparis
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
![Page 1: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/1.jpg)
Advanced XXE ExploitationExercise 2: External DTD (App port 8022)
Philippe ArteauGoSecure Countertack
19/06/2019Slides: http://bit.ly/xxeparis
![Page 2: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/2.jpg)
![Page 3: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/3.jpg)
Direct response from XXE
Not ideal In some case, you might have no response
![Page 4: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/4.jpg)
Side-Channel XXE with external DTD
XML
Request DTD
Request FTP
![Page 5: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/5.jpg)
XML payload
DTD host over HTTP
![Page 6: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/6.jpg)
XML payload
FTP service
![Page 7: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/7.jpg)
Edit FTP to have something unique
In real test, you should test using :- 443- 80- 21
![Page 8: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/8.jpg)
1. Send XML payload
2. DTD is loaded!
3. FTP URL is evaluated!
Putting the pieces together
![Page 9: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/9.jpg)
Using repeater efficiently with HackVertor
![Page 10: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/10.jpg)
Using the fake FTP server interactivelly
![Page 11: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/11.jpg)
Bonus:Try to get RCE on the server
![Page 12: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://reader030.cupdf.com/reader030/viewer/2022040222/5e4ba579afa678245e6773ab/html5/thumbnails/12.jpg)
Related Documents
