Categoría: Portswigger Lab writeup

Exploiting XXE via image file upload

Descripción This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files. To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the «Submit solution» button to submit the value of the server hostname. Exploiting XXE via image file upload […]

Exploiting XInclude to retrieve files

Descripción This lab has a «Check stock» feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don’t control the entire XML document you can’t define a DTD to launch a classic XXE attack. To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file. Exploiting XInclude […]

Exploiting blind XXE to retrieve data via error messages

Descripción This lab has a «Check stock» feature that parses XML input but does not display the result. To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file. The lab contains a link to an exploit server on a different domain where you can host your […]

Exploiting blind XXE to exfiltrate data using a malicious external DTD

Descripción This lab has a «Check stock» feature that parses XML input but does not display the result. To solve the lab, exfiltrate the contents of the /etc/hostname file Exploiting blind XXE to exfiltrate data using a malicious external DTD writeup Al entrar vemos una tienda online. Entramos en un producto con ‘View details’ y capturamos la […]

Blind XXE with out-of-band interaction via XML parameter entities

Descripción This lab has a «Check stock» feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities. To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator. Blind XXE with out-of-band interaction via […]

Blind XXE with out-of-band interaction

Descripción This lab has a «Check stock» feature that parses XML input but does not display the result. You can detect the blind XXE vulnerability by triggering out-of-band interactions with an external domain. To solve the lab, use an external entity to make the XML parser issue a DNS lookup and HTTP request to Burp […]

Exploiting XXE to perform SSRF attacks

Descripción This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive. To solve […]

Exploiting XXE using external entities to retrieve files

Descripción This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file. Exploiting XXE using external entities to retrieve files writeup Al entrar en el laboratorio veremos una tienda online. Iremos a […]

Basic server-side template injection (code context)

Descripción This lab is vulnerable to server-side template injection due to the way it unsafely uses a Tornado template. To solve the lab, review the Tornado documentation to discover how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. You can log in to your own account using the following credentials: wiener:peter Basic server-side […]

Basic server-side template injection

Descripción This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template. To solve the lab, review the ERB documentation to find out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. Basic server-side template injection writeup En la descripción del laboratorio, nos habla de que […]