Skip to content

BuffaloWill/oxml_xxe

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
6 branches 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
db
fixed deps, updated docker with persistent storage
March 11, 2021 14:14
lib
Added vulnerable example
May 5, 2023 06:56
output
fixed deps, updated docker with persistent storage
March 11, 2021 14:14
public
Update ruby versions to modern status, removed unsupported libraries
May 3, 2023 05:54
samples
Merge branch 'master' of https://github.com/BuffaloWill/oxml_xxe
August 1, 2016 20:12
test
Added vulnerable example
May 5, 2023 06:56
views
Added vulnerable example
May 5, 2023 06:56
.gitignore
fixed deps, updated docker with persistent storage
March 11, 2021 14:14
Dockerfile
Updated ruby to 3.2.2
May 5, 2023 04:50
Gemfile
Updated ruby to 3.2.2
May 5, 2023 04:50
Gemfile.lock
Updated ruby to 3.2.2
May 5, 2023 04:50
README.md
Added vulnerable example and updated README
May 5, 2023 07:11
docker-compose.yml
Update ruby versions to modern status, removed unsupported libraries
May 3, 2023 05:54
payloads.yaml
Cleaned up payloads
May 4, 2023 05:08
server.rb
Updated ruby to 3.2.2
May 5, 2023 04:50
oxml_xxe Installation Docker Docker Compose Ubuntu Examples

README.md

oxml_xxe

This tool is meant to help test XXE vulnerabilities in OXML document file formats. Currently supported:

  • DOCX/XLSX/PPTX
  • ODT/ODG/ODP/ODS
  • SVG
  • XML

BH USA 2015 Presentation: Exploiting XXE in File Upload Functionality (Slides) (Recorded Webcast)

Blog Posts on the topic:

Installation

OXML_XXE was written in Ruby using Sinatra, Bootstrap, and Slim.

Docker

  1. Run docker build --tag oxml_xxe .
  2. Run docker run --name oxml_xxe -p 4567:4567 --rm oxml_xxe
  3. Browse to http://localhost:4567/ to get started.

Docker Compose

  1. Run docker-compose up --build
  2. Browse to http://localhost:4567/ to get started.

Ubuntu

Install dependencies:

apt-get install -y make git libsqlite3-dev libxslt-dev libxml2-dev zlib1g-dev gcc ruby3.2 g++

Bundle install:

gem install bundler
bundle install

Start the service:

ruby server.rb

Examples

See: https://github.com/BuffaloWill/oxml_xxe/wiki/python-docx

About

A tool for embedding XXE/XML exploits into different filetypes

Resources

Readme
Activity

Stars

981 stars

Watchers

32 watching

Forks

248 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 7

Languages