• Home

  • Documents

  • Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 -...
12
Advanced XXE Exploitation Exercise 2: External DTD (App port 8022) Philippe Arteau GoSecure Countertack 19/06/2019 Slides: http://bit.ly/xxeparis

Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

  • Upload
    others

  • View
    18

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Advanced XXE ExploitationExercise 2: External DTD (App port 8022)

Philippe ArteauGoSecure Countertack

19/06/2019Slides: http://bit.ly/xxeparis

http://bit.ly/xxeparis
Page 2: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window
Page 3: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Direct response from XXE

Not ideal In some case, you might have no response

Page 4: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Side-Channel XXE with external DTD

XML

Request DTD

Request FTP

Page 5: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

XML payload

DTD host over HTTP

Page 6: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

XML payload

FTP service

Page 7: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Edit FTP to have something unique

In real test, you should test using :- 443- 80- 21

Page 8: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

1. Send XML payload

2. DTD is loaded!

3. FTP URL is evaluated!

Putting the pieces together

Page 9: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Using repeater efficiently with HackVertor

Page 10: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Using the fake FTP server interactivelly

Page 11: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Bonus:Try to get RCE on the server

Page 12: Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

QuestionS ?

[email protected]/blog/@h3xStream @GoSecure_Inc


THE GOSECURE EMAIL SECURITY PLATFORM€¦ · GoSecure ThreatTest is the world’s first fully-managed, postdelivery anti-phishing solution. Patent pending, ThreatTest removes the

THE GOSECURE EMAIL SECURITY PLATFORM€¦ · GoSecure ThreatTest is the world’s first fully-managed, postdelivery anti-phishing solution. Patent pending, ThreatTest removes the

Documents
Burp Suite Pro - Hack In Paris · Burp Suite Pro Real-life tips & tricks Nicolas Grégoire. ... Magic combo: Nikto Burp FuzzDB ... Misc Custom Logger, Burp Notes,

Burp Suite Pro - Hack In Paris · Burp Suite Pro Real-life tips & tricks Nicolas Grégoire. ... Magic combo: Nikto Burp FuzzDB ... Misc Custom Logger, Burp Notes,

Documents
Bath Burp Issue 15

Bath Burp Issue 15

Documents
Bath Burp Issue 5

Bath Burp Issue 5

Documents
Homework: 7.21, 7.23 Tutorial Problems: 7.25, 7.37, 7 7a.pdf · 2020. 11. 23. · Homework: 7.21, 7.23 Tutorial Problems: 7.25, 7.37, 7.40 Signals & SystemsSampling P1. Chapter 7:

Homework: 7.21, 7.23 Tutorial Problems: 7.25, 7.37, 7 7a.pdf · 2020. 11. 23. · Homework: 7.21, 7.23 Tutorial Problems: 7.25, 7.37, 7.40 Signals & SystemsSampling P1. Chapter 7:

Documents
Cloud Platform 2.21 API Release Notes - Qualys · With our new Burp API, you can now import Burp scan reports and store the findings discovered by the Burp Suite scanner with those

Cloud Platform 2.21 API Release Notes - Qualys · With our new Burp API, you can now import Burp scan reports and store the findings discovered by the Burp Suite scanner with those

Documents
Zap vs burp

Zap vs burp

Software
AppSec USA 2015: Customizing Burp Suite

AppSec USA 2015: Customizing Burp Suite

Technology
Definitive Guide to PENETRATION TESTING - Core Sentinel · Burp Suite. Burp is a web application intercepting proxy which is Burp is a web application intercepting proxy which is

Definitive Guide to PENETRATION TESTING - Core Sentinel · Burp Suite. Burp is a web application intercepting proxy which is Burp is a web application intercepting proxy which is

Documents
Web Hacking With Burp Suite 101

Web Hacking With Burp Suite 101

Technology
Burp Suite Pro Real-life tips & tricks - Agarri · Burp Suite Pro Real-life tips & tricks Nicolas Grégoire. ... Magic combo: Nikto Burp FuzzDB ... Misc Custom Logger, Burp Notes,

Burp Suite Pro Real-life tips & tricks - Agarri · Burp Suite Pro Real-life tips & tricks Nicolas Grégoire. ... Magic combo: Nikto Burp FuzzDB ... Misc Custom Logger, Burp Notes,

Documents
GoSecure Student Travel Insurance Policy Wording...GoSecure – Student Travel Insurance Policy Wording Scope of Cover This is your GoSecure Student Travel Insurance Policy. It tells

GoSecure Student Travel Insurance Policy Wording...GoSecure – Student Travel Insurance Policy Wording Scope of Cover This is your GoSecure Student Travel Insurance Policy. It tells

Documents
Bath Burp Issue 10

Bath Burp Issue 10

Documents
Bath Burp Issue 7

Bath Burp Issue 7

Documents
New GoSecure Inc. 03/07/2007the-eye.eu/public/Site-Dumps/index-of/index-of.co.uk/... · 2017. 6. 13. · GoSecure Inc. 03/07/2007 3 Google Search Technique – Just put the word and

New GoSecure Inc. 03/07/2007the-eye.eu/public/Site-Dumps/index-of/index-of.co.uk/... · 2017. 6. 13. · GoSecure Inc. 03/07/2007 3 Google Search Technique – Just put the word and

Documents
AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions

AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions

Documents
Pentesting Using Burp Suite

Pentesting Using Burp Suite

Documents
Julia Ray Bib & Burp Collection, 2013

Julia Ray Bib & Burp Collection, 2013

Documents
Burp Rag Tabs

Burp Rag Tabs

Documents
Mocking HTTP APIs With Burp - Shea Polansky · Burp Intruder Repeater Window Help Repeater Options URL Burp Suite Community Edition v1.7.35 - Temporary Project Alerts it H u b—

Mocking HTTP APIs With Burp - Shea Polansky · Burp Intruder Repeater Window Help Repeater Options URL Burp Suite Community Edition v1.7.35 - Temporary Project Alerts it H u b—

Documents
TUTORIAL B - Flannel Burp Cloth

TUTORIAL B - Flannel Burp Cloth

Documents
11 Web security testing using Burp and Firebugminisites.qaiglobalservices.com/stc2012/Paper_ Best_Practice/Web... · Web security testing using Burp Tools in Burp suite Burp Suite

11 Web security testing using Burp and Firebugminisites.qaiglobalservices.com/stc2012/Paper_ Best_Practice/Web... · Web security testing using Burp Tools in Burp suite Burp Suite

Documents
Saluting the Salubrious Burp: The Burp that Healed, by Pieter Uys

Saluting the Salubrious Burp: The Burp that Healed, by Pieter Uys

Documents
Burp Suite Starter

Burp Suite Starter

Technology
Burp Suite Extension Writing Workshop - Devils Lab Extension Writing... · » Introduction to Burp Suite » Burp features: • scoping, proxy settings, repeater mode and other options

Burp Suite Extension Writing Workshop - Devils Lab Extension Writing... · » Introduction to Burp Suite » Burp features: • scoping, proxy settings, repeater mode and other options

Documents
Automation of Web Application Scanning with Burp …...Why Burp Suite? 5 Burp Suite - GUI proxy server for manual analyse of HTTP and Websocket protocols › Everyone in our team uses

Automation of Web Application Scanning with Burp …...Why Burp Suite? 5 Burp Suite - GUI proxy server for manual analyse of HTTP and Websocket protocols › Everyone in our team uses

Documents
Introduction to burp suite

Introduction to burp suite

Software
Bath Burp Issue 4

Bath Burp Issue 4

Documents
NEST Kali Linux Tutorial: Burp Suitenest.unm.edu/files/9413/8379/7983/burpsuite.pdf · NEST Kali Linux Tutorial: Burp Suite “Burp gives you full control, letting you combine advanced

NEST Kali Linux Tutorial: Burp Suitenest.unm.edu/files/9413/8379/7983/burpsuite.pdf · NEST Kali Linux Tutorial: Burp Suite “Burp gives you full control, letting you combine advanced

Documents
GoSecure Inc. 03/07/2007 - index-of.co.ukindex-of.co.uk/Google/PCT1_30.pdf · 2019. 3. 7. · GoSecure Inc. 03/07/2007 3 Google Search Technique – Just put the word and run the

GoSecure Inc. 03/07/2007 - index-of.co.ukindex-of.co.uk/Google/PCT1_30.pdf · 2019. 3. 7. · GoSecure Inc. 03/07/2007 3 Google Search Technique – Just put the word and run the

Documents