From 6cbf58e5b09b99ebba3647cf81c63d9bf715e18d Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Mon, 28 Oct 2024 16:18:35 +0100
Subject: [PATCH] XXE in docx/xlsx: important warning on recompression

---
 XXE Injection/README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 5ce1a2c..02c1ec5 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -639,9 +639,11 @@ Rebuild Excel file:
 
 ```
 $ cd XXE
-$ 7z u ../xxe.xlsx *
+$ zip -u ../xxe.xlsx *
 ```
 
+Warning: Use `zip -u` (https://infozip.sourceforge.net/Zip.html) and not `7z u` / `7za u` (https://p7zip.sourceforge.net/) or `7zz` (https://www.7-zip.org/) because they won't recompress it the same way and many Excel parsing libraries will fail to recognize it as a valid Excel file. A valid  magic byte signature with (`file XXE.xlsx`) will be shown as `Microsoft Excel 2007+` (with `zip -u`) and an invalid one will be shown as `Microsoft OOXML`.
+
 Add your blind XXE payload inside `xl/workbook.xml`.
 
 ```xml
@@ -755,4 +757,4 @@ From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
 * [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin
 * [Payloads for Cisco and Citrix - Arseniy Sharoglazov](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
 * [Data exfiltration using XXE on a hardened server - Ritik Singh - Jan 29, 2022](https://infosecwriteups.com/data-exfiltration-using-xxe-on-a-hardened-server-ef3a3e5893ac)
-* [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - optistream](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe)
\ No newline at end of file
+* [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - optistream](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe)