Exploiting Web Page

So it wants us to upload the XML elements as, Author – Subject – Content

Writing the test XML to see if it will work

Using burpsuite to see the results. Immediately I noticed even though I wrote the file in txt, the site only wants it in XML

So I change the filename and the context type within burpsuite – to “.xml” and “text/xml”

Now with those changes, the response I get from the website is “internal server error”

I try again but this time I put Author, Subject, Content in caps

Ok so knowing it accepts XML fine. I need to find a XXE injection template. I use the one

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection/Files

Then I put my previous XML strings into it like so -

had to remove the “#” from Any as I think it was blocking it. Added numbers at the end of author and content to specify they are different lines.

Line 22 was using a system call to grab the contents of file:/etc/passwd and assign it into the variable file. Then we called that variable “file” in line 25

And it worked, once I sent that, I was greeted with a different response.