ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #752 from noraj/patch-2

Browse Source 
XXE in docx/xlsx: important warning on recompression
This commit is contained in:
Swissky 2024-10-28 17:03:39 +01:00 committed by GitHub
commit 98db867333
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
XXE Injection/README.md
View File

@ -639,9 +639,11 @@ Rebuild Excel file:
``` ```
$ cd XXE $ cd XXE
$ 7z u ../xxe.xlsx * $ zip -u ../xxe.xlsx *
``` ```
Warning: Use `zip -u` (https://infozip.sourceforge.net/Zip.html) and not `7z u` / `7za u` (https://p7zip.sourceforge.net/) or `7zz` (https://www.7-zip.org/) because they won't recompress it the same way and many Excel parsing libraries will fail to recognize it as a valid Excel file. A valid magic byte signature with (`file XXE.xlsx`) will be shown as `Microsoft Excel 2007+` (with `zip -u`) and an invalid one will be shown as `Microsoft OOXML`.
Add your blind XXE payload inside `xl/workbook.xml`. Add your blind XXE payload inside `xl/workbook.xml`.
```xml ```xml