webPromedium

XXE read

web-kids20

Task WEB_d241 from advanced category. The web application accepts XML data and parses it. The goal is to exploit an XXE (XML External Entity) vulnerability to read local files.

lfi file_read xxe xml

xxe_file_readexternal_entity_injection

$ ls tags/ techniques/

lfi file_read xxe xml

xxe_file_readexternal_entity_injection

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub, Discord, or Google to continue. No email required.

$sign in

$ grep --similar

Similar writeups

[web][Pro]XXE filter— web-kids20
[web][Pro]Lab 140 — Pressboard — XXE via RSS Feed Import— hackadvisor
[web][Pro]Zip slip— web-kids20
[web][Pro]Lab 139 — HireFlow — XXE via XML Application Intake— hackadvisor
[web][Pro]Вектор атаки— bug-makers