Post Exploitation

Protocols that sometimes can be used:

  • jar://, ftp://, http://, or gopher://

You can use XML External Entities to

  • Information Disclosure

    • List files in the folders

    • Read file from the server

      • Reach for configuration and application files. Look for database / fileserver / backdoor credentials.

  • Remote Command Injection

  • Remote Command Execution

    • If application is written in PHP and has "Expect" module

  • SSRF

  • Denial of Service

PreviousWrappers for errorsNextJavaScript Prototype Pollution

Last updated