Discovering vulnerabilities quickly with targeted scanning — Portswigger
This lab contains a vulnerability that enables you to read arbitrary files from the server. To solve the lab, retrieve the contents of /etc/passwd within 10 minutes | Approach
Let’s Start — You have to solve the lab in 10 Minutes
Access the Lab, Turn on the Proxy, and Turn off your Intercept in Burpsuite
Now notice the Content list of HTTP history in the Proxy tab, you can see that there is a request /product/stock
from that the Parameter ProductID
is an endpoint to test.
Right-click on /product/stock
→ Do Active Scan
Try to Change the Parameters to various values
The scanner found an Out-of-band resource load on /product/stock
It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response.
- Send the Request to the Repeater
- Add the below Payload in
ProductID
Parameter
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
Send the Request, Now you can able to view the /etc/passwd
Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )
Thank you for Reading!!
Happy Hunting ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng