webProeasy

Lab 24 — SheetMetric — XXE via Malicious Excel Upload

hackadvisor

Task: SheetMetric business analytics platform with .xlsx file upload processed server-side by Java XML parser with external entity resolution enabled. Solution: XXE injection via crafted XLSX file with malicious DOCTYPE in xl/sharedStrings.xml to read /root/flag.txt through file:// protocol entity.

$ ls tags/ techniques/

lfi file_read file_upload java xlsx excel xxe xml alpine_linux honeypot_flag spring

xxe_file_readexternal_entity_injectionxlsx_xxemalicious_excel_uploadshared_strings_injection

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]MetricFlow — DOM XSS via Prototype Pollution Gadget— hackadvisor
[web][Pro]Lab 38 — PipelineForge — XXE in XML Pipeline Import— hackadvisor
[web][Pro]MetricForge— hackadvisor
[web][Pro]Lab 139 — HireFlow — XXE via XML Application Intake— hackadvisor
[web][free]open-insight— umdctf