[go: nahoru, domu]
Skip to content

Latest commit

 

History

History

xml

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
C
C
 
 
custom
custom
 
 
dos
dos
 
 
morgan-poc
morgan-poc
 
 
spath-poc
spath-poc
 
 
ssrf
ssrf
 
 
xxe
xxe
 
 
yunusov-poc
yunusov-poc
 
 
README.md
README.md
 
 
classic.xml
classic.xml
 
 
entity-svg-draw-circle-example-poc.txt
entity-svg-draw-circle-example-poc.txt
 
 
ms-xml-parser-errors-in-http-responses.txt
ms-xml-parser-errors-in-http-responses.txt
 
 
po-2335.xml
po-2335.xml
 
 
rce-poc-snippet-start-paint-via-powershell.txt
rce-poc-snippet-start-paint-via-powershell.txt
 
 
svg-xxe-contain-in-response-font-size-poc.txt
svg-xxe-contain-in-response-font-size-poc.txt
 
 
xml-html-script-poc.txt
xml-html-script-poc.txt
 
 
xml-injection-signatures.txt
xml-injection-signatures.txt
 
 
xslt-vendor-fingerprint-example-poc.xslt
xslt-vendor-fingerprint-example-poc.xslt
 
 
xxe-windows-smoke-test.txt
xxe-windows-smoke-test.txt
 
 

README.md

This Repo is pulled together from most of the Public Repo's for XXE, XML, MSLT Injection.

All the windows specific injections and errors are based on working with Burp Repeater.

Comments:

You've found an XXE/XML/XSLT Injection Bug on a Windows MSXML Parser and/or Browser and you're looking for PoC and Details...

XXE/XML/XSLT Injection on Windows is often a low-priority Bug, similar to XSS. You want to escalte, but, how?

You can usually demonstrate SSRF, but, whats the Risk? (Not much).

You can echo back CDATA and XSS the Client, and demonstrate that Risk, but what about the MSXML Parser?

You're going to be disappointed unless you find a misconfiguration allowing for C# processing and/or weak file system permissions.

This Repository does provide verified injection signatures, but you need to massage all the parameters by hand.

My advice on demonstrating Risk for XXE on Windows is to provide a simple PoC demonstrating you control the CPU for 2 > 4 seconds of DoS.

Fuzzing out the Directory and File Structure creates alot of Noise.

Know what you are looking for in advance and be prepared to Exfiltrate with 1 GET/POST.

Reminder: MSXML3,4 is EoL and insecure by Default. MSXML6 is slightly-secure by Default.

Your Mileage May Vary