Skip to content

Commit 59db436

Browse files
authored
Simplify. Major remake (#4)
* Adding basic classes * Embed logic added * Works up to injecting * Adding comments * per_document works * per_document rewritten and enhanced. embed_files re-designed * per_place and per_file is working * Documentation improved. Samples tested. Samples folder has been changed.
1 parent b0ddd87 commit 59db436

99 files changed

Lines changed: 533 additions & 600 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.gitignore

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,5 @@
11
tmp/*
2-
tmp*
2+
tmp*
3+
.venv
4+
venv
5+
jaunch.json

.vscode/launch.json

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
{
2+
// Use IntelliSense to learn about possible attributes.
3+
// Hover to view descriptions of existing attributes.
4+
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
5+
"version": "0.2.0",
6+
"configurations": [
7+
{
8+
"name": "Python: Current File",
9+
"type": "python",
10+
"request": "launch",
11+
"program": "${file}",
12+
"console": "integratedTerminal",
13+
"args": [
14+
"-s","samples/marked/sample_oxml_xxe_mod1.docx",
15+
"-pt","xss",
16+
"-pf","payloads/xss_tiny.txt",
17+
"-pm","per_document",
18+
"-sx","docx"
19+
],
20+
21+
"justMyCode": true
22+
}
23+
]
24+
}

README.md

Lines changed: 35 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ _| _| _| _| _| _|_|_|_| _| _| _|
66
_| _| _| _| _| _| _| _| _|
77
_|_|_| _|_| _|_|_| _|_|_| _| _| _|
88
9-
version 1.3
9+
version 1.5
1010
```
1111

1212

@@ -19,7 +19,7 @@ This tool is a side-project of a colloborative research of document's internal s
1919

2020
A lot of common document formats, such as doc,docx,odt,etc are just a zip files with a few xml files inside.
2121

22-
![diag0](https://github.com/whitel1st/docem/blob/master/pics/diag0.png "diag0")
22+
![diag0](pics/diag0.png "diag0")
2323

2424
So why don't we try to embed XXE payloads in them?
2525
That was done in a great [research](http://oxmlxxe.github.io/reveal.js/slides.html#/) by Will Vandevanter (`_will_is`)
@@ -34,15 +34,15 @@ Also there are three different types of `payload_type` - every type determines h
3434
Every `payload_type` described in a section `Usage`.
3535
Here is a small scheme of how this works:
3636

37-
![diag1](https://github.com/whitel1st/docem/blob/master/pics/diag1.png "diag1")
37+
![diag1](pics/diag1.png "diag1")
3838

3939
Payload modes
4040

41-
![diag2](https://github.com/whitel1st/docem/blob/master/pics/diag2.png "diag1")
41+
![diag2](pics/diag2.png "diag1")
4242

4343
Programm interface
4444

45-
![screenshot](https://github.com/whitel1st/docem/blob/master/pics/screenshot.png "screenshot")
45+
![screenshot](pics/screenshot.png "screenshot")
4646

4747

4848
## Install
@@ -60,74 +60,78 @@ python3 docem.py --help
6060

6161
- required args
6262
- `-s` - path to a `sample file` or a `sample directory`. That sample will be used to create a document with an attacking vector.
63-
- `-pm` - payload mode
63+
- `-pt` - payload type
6464
- `xss` - XSS - Cross Site Scripting
6565
- `xxe` - XXE - External XML Entity
6666
- optional
67-
- `-pt` - payload type
67+
- `-pm` - payload mode
6868
- `per_document` - (default mode) for every payload, embed payload in all places in all files and create new document
6969
- `per_file` - for every payload, for every file inside a document, for all places inside a file embed a payload and create a new document
7070
- `per_place` - for every payload, for every place in every file, embed a payload and create a new doc
7171
- `-pf` - payload file
72-
- `-kt` - do not delete temp folders in a `tmp/`
7372
- `-sx ` - sample extension - used when sample is a directory
7473
- `-h` - print help
7574

7675
Examples
7776
```bash
78-
./docem.py -s samples/xxe/docx_sample_oxml_xxe_mod0/ -pm xss -pf payloads/xxe_special_6.txt -pt per_document -kt -sx docx
79-
./docem.py -s samples/xxe/docx_sample_oxml_xxe_mod1/ -pm xss -pf payloads/xxe_special_1.txt -pt per_file -kt -sx docx
80-
./docem.py -s samples/xxe/sample_oxml_xxe_mod1.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_place
81-
./docem.py -s samples/xss_sample_0.odt -pm xss -pf payloads/xss_tiny.txt -pm per_place
77+
./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xxe -pf payloads/xxe_special_6.txt -pm per_document -sx docx
78+
./docem.py -s samples/marked/docx_sample_oxml_xxe_mod1/ -pt xxe -pf payloads/xxe_special_1.txt -pm per_file -sx docx
79+
./docem.py -s samples/marked/sample_oxml_xxe_mod1.docx -pt xxe -pf payloads/xxe_special_2.txt -pm per_place
80+
./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xss -pf payloads/xss_tiny.txt -pm per_place -sx docx
8281
```
8382

84-
An equivalent to a `docx` file created by oxml_xxe
85-
```
86-
./docem.py -s samples/xxe/docx_sample_oxml_xxe_mod0/ -pm xss -pf payloads/xxe_special_6.txt -pt per_document -kt -sx docx
83+
An equivalent to a `docx` file created by `oxml_xxe`. The command bellow will create docx files with embedded XXE payloads.
84+
```bash
85+
./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xss -pf payloads/xxe_special_6.txt -pm per_document -sx docx
8786
```
8887

88+
Tool output is saved under `./tmp/` folder
89+
8990

9091
## How to create custom sample
9192

9293

9394
### Via new folder sample
9495

9596

96-
1. Unzip your document `example.docx` to a folder `example/`
97+
1. Unzip your document `new_sample_from_folder.docx` to a folder `new_sample_from_folder/` or use already existing clear sample by coping it from `samples/clear/<sample_name>` to `samples/marked/new_sample_from_folder/`
9798
2. Add magic symbols - `XXCb8bBA9XX` (depicted as `` in illustrations of this readme) in places where you want payloads to be embedded
98-
3. Use new sample with the tool as `-s samples/example/ -sx docx`
99+
3. Use new sample with the tool as `-s samples/new_sample_from_folder/ -sx docx`
99100

100101

101102
### Via new file sample
102103

103-
1. Unzip your document `example.docx` to a folder `example/`
104-
2. Add magic symbols - `XXCb8bBA9XX` - (depicted as `` in illustrations of this readme) in places where you want payloads to be embedded
105-
3. Zip your new sample into `example_modified0.zip`
106-
4. Rename extension - `example_modified0.docx`
107-
5. Use new sample with the tool as `-s samples/example_modified0.docx`
104+
1. Add magic symbols (`XXCb8bBA9XX`) to various places in you custom document `new_sample.docx`
105+
2. Use new sample as `-s new_sample.docx`
106+
108107

108+
## Payload file formats used in the tool
109109

110-
## File with payloads format
110+
### XSS payloads
111111

112-
A small documentation to add your custom payloads
112+
Format: TXT file that contains list strings. Example:
113+
```
114+
<svg/src=x/onerror=alert(1)>
115+
<xss onafterscriptexecute=alert(1)><script>1</script>
116+
```
113117

114118
### XXE payloads
115119

116-
**Special format**
120+
Tools uses **Special format** for XXE payloads. If you want to add additional payloads, please use an example bellow as a reference.
121+
122+
Format: TXT file that contains list dictionaries. Example
117123

118-
String from a file
119124

120-
`{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}`
125+
```
126+
{"vector":"<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>","reference":"&xxe_canary_0;"}
127+
{"vector":"<!DOCTYPE docem [<!ELEMENT docem ANY ><!ENTITY xxe_canary_2 SYSTEM \"file:///etc/lsb-release\">]>","reference":"&xxe_canary_2;"}
128+
```
121129

122130
- `vector` - required key word - script will be searching for it
123131
- `<!DOCTYPE docem [<!ENTITY xxe_canary_0 \"XXE_STRING\">]>` - payload. Warning all double quotation marks `"` must be escaped with one backslash `\` => `\"`
124132
- `reference` - required key word - script will be searching for it
125133
- `&xxe_canary_0;` - reference that will be add in all places with magic symbol
126134

127-
### XSS payloads
128-
129-
No special format.
130-
Just a file with strings. As if you would use it in any other tool.
131135

132136
## Features and ToDo
133137

0 commit comments

Comments
 (0)