buffalowill / oxml_xxe Goto Github PK
View Code? Open in Web Editor NEWA tool for embedding XXE/XML exploits into different filetypes
A tool for embedding XXE/XML exploits into different filetypes
Hello, any way you could get this updated so it works on newer systems? I'm trying all sorts of stuff to get this working without any luck.
"As a user I would like the Input File to default to sample.docx. This would make it easier to create a PoC quickly"
Followed the instructions exactly and received this error trying to bundle install
Your Ruby version is 2.3.5, but your Gemfile specified 2.6.2
soooooo do i use 2.3.5 per the docs or 2.6.2 per the gemfile? :P
Thanks!
For now string substitution is handled at the document level. It is necessary to allow string substitions at the file level.
For example, a user I would like to able to substitute an XXE into string or XML parameter of the "[Content_Types].xml" file.
Hi, do you know any open source XML parser with known vulnabilities, which can be hacked by documents created by oxml_xxe?
I was ordered to test the tools that we’re using for testing security in my company.
Thanks in advance!
ruby server.rb
/usr/local/lib/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require': cannot load such file -- haml (LoadError) from /usr/local/lib/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in
require'
from server.rb:4:in `
ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
there are randomly inserted menu exits. this needs to be properly implemented with highline
Hi,
I haven't tried this on linux. But i tried to install this on windows. After installing it's required dependencies, it shown the error given below.
Gemfile says to have ruby 2.1.5 but i have 2.1.8, if that information is required.
I have updated that file to use it. https://github.com/exploitprotocol/oxml_xxe/blob/master/Gemfile
If ruby version is issue, could you please increase support for other ruby version's .
Thanks
My problem is that
I use Kali Linux and I am trying to use the tool of "beef", however, for this situation firstly I need to upgrade ruby because I see this error 'Ruby version 2.1.5 is no longer supported. Please upgrade to Ruby version 2.2 or later.'
When I check my version of the ruby it is 'ruby 2.1.5p273 (2014-11-13) [i386-linux-gnu]'.
And then I tried respectively
sudo apt-get install ruby2.0
sudo apt-get install ruby-full
apt-get upgrade
apt-get update
But still I could not upgrade it, how can I upgrade, could you help me, please?
Thank you.
Hi
I have done the setup in a remote server and i can't access the 127.0.0.1:4567
i am trying to open the private and public IP with 4567 port but i am not able to get the output.
Please help me with the fix.
The Gemfile
currently pins the ruby version to 2.1.5
. I wonder if this could be updated to 2.4.x
or later?
WARNING: ruby-2.1.5 is past its end of life and is now unsupported.
It no longer receives bug fixes or critical security updates.
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory:
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool and improve its referencing.
The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make our open project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care. Else you can close this issue.
I can do a pull request and write you some install instructions.
I had to do the following to get the program running:
$ gem install highline $ gem install zipruby
root@linux-ptvm-01:~/oxml_xxe# ruby server.rb
/var/lib/gems/2.3.0/gems/rack-2.0.3/lib/rack/show_exceptions.rb:16: warning: already initialized constant Rack::ShowExceptions::CONTEXT
/usr/lib/ruby/vendor_ruby/rack/showexceptions.rb:16: warning: previous definition of CONTEXT was here
/var/lib/gems/2.3.0/gems/rack-2.0.3/lib/rack/show_exceptions.rb:114: warning: already initialized constant Rack::ShowExceptions::TEMPLATE
/usr/lib/ruby/vendor_ruby/rack/showexceptions.rb:115: warning: previous definition of TEMPLATE was here
/usr/lib/ruby/2.3.0/rubygems/specification.rb:2287:in raise_if_conflicts': Unable to activate dm-serializer-1.2.2, because json-2.1.0 conflicts with json (~> 1.6) (Gem::ConflictError) from /usr/lib/ruby/2.3.0/rubygems/specification.rb:1408:in
activate'
from /usr/lib/ruby/2.3.0/rubygems/specification.rb:1442:in block in activate_dependencies' from /usr/lib/ruby/2.3.0/rubygems/specification.rb:1428:in
each'
from /usr/lib/ruby/2.3.0/rubygems/specification.rb:1428:in activate_dependencies' from /usr/lib/ruby/2.3.0/rubygems/specification.rb:1410:in
activate'
from /usr/lib/ruby/2.3.0/rubygems.rb:196:in rescue in try_activate' from /usr/lib/ruby/2.3.0/rubygems.rb:193:in
try_activate'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:125:in rescue in require' from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:40:in
require'
from /root/oxml_xxe/model/master.rb:2:in <top (required)>' from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in
require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require' from server.rb:11:in
When attempting to build and run the latest version of the tool, the docker image builds correctly but is unable to run.
The log output states that it is unable to find the gem dependencies. See below.
λ docker-compose up --build 0 (01:09.004) < 13:33:55
Building web
[+] Building 0.8s (11/11) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 366B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/ruby:3.2.2-slim 0.7s
=> [1/6] FROM docker.io/library/ruby:3.2.2-slim@sha256:995aeea8fd8261662d7d9c157ca319ce009c7f99333b3358eb26e84b63 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 19.16kB 0.0s
=> CACHED [2/6] RUN apt-get update && apt-get install -y make git libsqlite3-dev libxslt-dev libxml2-dev zlib 0.0s
=> CACHED [3/6] WORKDIR /oxml_xxe 0.0s
=> CACHED [4/6] COPY Gemfile ./ 0.0s
=> CACHED [5/6] RUN bundle install 0.0s
=> CACHED [6/6] COPY . . 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:adb7d84f06b69380dcc7e887c6fe1816a63bcad7925075b32df53cf49757d442 0.0s
=> => naming to docker.io/library/oxml_xxe_web 0.0s
Starting oxml_xxe_web_1 ... done
Attaching to oxml_xxe_web_1
web_1 | /usr/local/lib/ruby/3.2.0/bundler/definition.rb:524:in `materialize': Could not find slim-5.1.0, nokogiri-1.14.3-x86_64-linux, sequel-5.68.0, sqlite3-1.6.2-x86_64-linux, temple-0.10.0, tilt-2.1.0, thor-1.2.1 in locally installed gems (Bundler::GemNotFound)
web_1 | from /usr/local/lib/ruby/3.2.0/bundler/definition.rb:197:in `specs'
web_1 | from /usr/local/lib/ruby/3.2.0/bundler/definition.rb:254:in `specs_for'
web_1 | from /usr/local/lib/ruby/3.2.0/bundler/runtime.rb:18:in `setup'
web_1 | from /usr/local/lib/ruby/3.2.0/bundler.rb:171:in `setup'
web_1 | from /usr/local/lib/ruby/3.2.0/bundler/setup.rb:23:in `block in <top (required)>'
web_1 | from /usr/local/lib/ruby/3.2.0/bundler/ui/shell.rb:159:in `with_level'
web_1 | from /usr/local/lib/ruby/3.2.0/bundler/ui/shell.rb:111:in `silence'
web_1 | from /usr/local/lib/ruby/3.2.0/bundler/setup.rb:23:in `<top (required)>'
web_1 | from <internal:/usr/local/lib/ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
web_1 | from <internal:/usr/local/lib/ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
web_1 | from /usr/local/lib/ruby/3.2.0/rubygems.rb:1370:in `<top (required)>'
web_1 | from <internal:gem_prelude>:2:in `require'
web_1 | from <internal:gem_prelude>:2:in `<internal:gem_prelude>'
oxml_xxe_web_1 exited with code 1
"as a user I would like to have a CLI version of oxml_xxe. sometimes using the menu is more than I need"
This would likely involve moving some of the methods into a helper file, each version could pull from this.
python:
Gemfile use ruby 2.3.5 but this version is old an it is not possible to build it easily anymore n modern distro. I tried building 2.3.5 and 2.3.8 with rbenv and it fails.
I tried to install dependencies with ruby 2.6.2 but in the gemfile some versions were not fixed:
gem 'sinatra', '1.4.8'
gem 'haml'
gem 'rubyzip'
gem 'json','1.8.6'
gem 'nokogiri'
gem 'data_mapper', '1.2.0'
gem 'dm-sqlite-adapter', '1.2.0'
So breaking changes happened between 2017 and 2019 for some of them.
$ ruby server.rb
Traceback (most recent call last):
5: from server.rb:11:in `<main>'
4: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
3: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
2: from /home/noraj/Tools/oxml_xxe/model/master.rb:2:in `<top (required)>'
1: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
/home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- data_mapper (LoadError)
12: from server.rb:11:in `<main>'
11: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
10: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
9: from /home/noraj/Tools/oxml_xxe/model/master.rb:2:in `<top (required)>'
8: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:34:in `require'
7: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:123:in `rescue in require'
6: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems.rb:217:in `try_activate'
5: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1420:in `activate'
4: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1438:in `activate_dependencies'
3: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1438:in `each'
2: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1452:in `block in activate_dependencies'
1: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1418:in `activate'
/home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:2302:in `raise_if_conflicts': Unable to activate dm-serializer-1.2.2, because json-2.1.0 conflicts with json (~> 1.6)
(Gem::ConflictError)
13: from server.rb:11:in `<main>'
12: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
11: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
10: from /home/noraj/Tools/oxml_xxe/model/master.rb:2:in `<top (required)>'
9: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:34:in `require'
8: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:123:in `rescue in require'
7: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems.rb:216:in `try_activate'
6: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems.rb:223:in `rescue in try_activate'
5: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1420:in `activate'
4: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1438:in `activate_dependencies'
3: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1438:in `each'
2: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1452:in `block in activate_dependencies'
1: from /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:1418:in `activate'
/home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0/rubygems/specification.rb:2302:in `raise_if_conflicts': Unable to activate dm-serializer-1.2.2, because json-2.1.0 conflicts with json (~> 1.6)
(Gem::ConflictError)
So if you can update dependencies and test with a 2.6.x ruby.
"As a user I would like to be able to print out a description of the XE payloads"
It would be great if there was an official dockerfile and automated build on dockerhub.
I can see some previous work on https://github.com/nahidupa/oxml_xxe/blob/master/Dockerfile by @nahidupa , but it appears that hasn't been pushed to dockerhub:
I've started work on my own, which may evolve over time into a more compact alpine linux container, assuming it runs properly there:
Ideally it would be awesome to see this built against alpine linux.
the menu system would benefit from indentation
Hello,
Firstly, many thanks for your tool. I have to use it tomorrow for a pentest :)
Just I saw you added a 6th argument in "insert_payload_docx" function (line 82 in util.rb)
# overridden method for replacing entire xml files def insert_payload_docx(ffile,name,payloadx,ip,exfil,bool_replace_xml)
So we are getting an error in server.rb which call the function with only 5 arguments.
I think a cosmetic fix is required ;-) (,false)
Thank you,
Nicolas
Solution: remove Gemfile.lock before building the image, it will be generated automatically correctly
Here is old Gemfile
source 'https://rubygems.org'
ruby "2.3.5"
gem 'sinatra', '1.4.8'
gem 'haml'
gem 'rubyzip'
gem 'json','1.8.6'
gem 'nokogiri'
gem 'data_mapper', '1.2.0'
gem 'dm-sqlite-adapter', '1.2.0'
now its working
Originally posted by @b1nslashsh in #30 (comment)
Insert all should create one word document with the XXE backdoor in all files.
$ ruby server.rb
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- haml (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from server.rb:4:in `<main>'
Whats the problem here?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.