Aleyna
Lab link. This lab has a “Check stock” feature that parses XML input but does not display the result. To solve the lab, trigger an error message containing the contents of the /etc/passwd file. You’ll need to reference an existing DTD file on the server and redefine an entity from it. When applications return all error messages …
Lab link. This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files. To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the “Submit solution” button to submit the value of the server hostname. In some systems, we need …
Lab link. This lab has a “Check stock” feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don’t control the entire XML document you can’t define a DTD to launch a classic XXE attack. To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file. XInclude is a …
Lab link. This lab has a “Check stock” feature that parses XML input but does not display the result. To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file. The lab contains a link to an exploit server on a different domain where you can host …
Lab link. This lab has a “Check stock” feature that parses XML input but does not display the result. To solve the lab, exfiltrate the contents of the /etc/hostname file. The main goal of the attacker is to leak sensitive data. Blind XXE also involves hosting a malicious DTD to obtain the data and then calling the …
Lab link. This lab has a “Check stock” feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities. To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator. In the lab, we first …
Lab link. This lab has a “Check stock” feature that parses XML input but does not display the result. You can detect the blind XXE vulnerability by triggering out-of-band interactions with an external domain. To solve the lab, use an external entity to make the XML parser issue a DNS lookup and HTTP request to …
Lab link. If the application has taken precautions for the file extension, there are several ways to bypass this precaution. In this lab, we use the null byte method to bypass the file extension blocking. In Requesat’s response, we see that our file was uploaded correctly. In the GET /files/avatars/ we correct our file name …
Lab link. The application has used a blacklist for security, but if we upload the .htaccess file, we can allow any file extension we want on the server. The file with the .php extension does not work. We make changes to the POST /my-account/avatar request. Now we can upload files with .l33t extension. We change …
Lab link. In some systems, there may be more than one vulnerability, or we may continue with a different vulnerability in the continuation of one vulnerability. In this lab, we can upload files thanks to path traversal. In the lab, we are asked to access the file /home/carlos/secret. We create a php file to access …