ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XXE WAF Bypass Added

Browse Source
This commit is contained in:
ムハンマド 2020-12-04 05:16:37 +03:00 committed by GitHub
parent e13f152b74
commit eb75a7e304
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
XXE Injection/README.md
View File

@ -31,6 +31,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
- [XXE inside SOAP](#xxe-inside-soap) - [XXE inside SOAP](#xxe-inside-soap)
- [XXE inside DOCX file](#xxe-inside-docx-file) - [XXE inside DOCX file](#xxe-inside-docx-file)
- [XXE inside XLSX file](#xxe-inside-xlsx-file) - [XXE inside XLSX file](#xxe-inside-xlsx-file)
- [XXE WAF Bypass via convert character encoding](#xxe-waf-bypass-via-convert-character-encoding)
## Tools ## Tools
@ -507,6 +508,17 @@ updating: xl/_rels/workbook.xml.rels (deflated 66%)
updating: xl/sharedStrings.xml (deflated 17%) updating: xl/sharedStrings.xml (deflated 17%)
``` ```
### XXE WAF Bypass via convert character encoding
In XXE WAFs, DTD Prolog are usually blacklisted BUT not all WAFs blacklist the UTF-16 character encoding<br><br>
`All XML processors must accept the UTF-8 and UTF-16 encodings of Unicode`
-- https://www.w3.org/XML/xml-V10-4e-errata#E11
<br><br>
we can convert the character encoding to `UTF-16` using [iconv](https://man7.org/linux/man-pages/man1/iconv.1.html) to bypass the XXE WAF:-<br>
```bash
cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
```
## References ## References