INFRA - XML requests + ssrf4 endpoint

core/requester.py

@@ -35,7 +35,7 @@ def __init__(self, path):
             # Parse data
             self.data_to_dict(content[-1])
         except Exception as e:
-            logging.error("Bad Format")
+            logging.warning("Bad Format or Raw data !")
 
     def data_to_dict(self, data):
         if self.method == "POST":
@@ -44,8 +44,13 @@ def data_to_dict(self, data):
             if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
                 self.data = json.loads(data)
 
+            # Handle XML data
+            elif self.headers['Content-Type'] and self.headers['Content-Type'] == "application/xml":
+                self.data['__xml__'] = data
+
             # Handle FORM data
             else:
+                print(data)
                 for arg in data.split("&"):
                     regex = re.compile('(.*)=(.*)')
                     for name,value in regex.findall(arg):
@@ -60,7 +65,6 @@ def do_request(self, param, value, timeout=3, stream=False):
                 if param in data_injected:
                     data_injected[param] = value
 
-
                     # Handle JSON data
                     if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
                         r = requests.post(
@@ -80,6 +84,25 @@ def do_request(self, param, value, timeout=3, stream=False):
                             timeout=timeout,
                             stream=stream
                         )
+                else:
+                    if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/xml":
+                        if "*FUZZ*" in data_injected['__xml__']:
+
+                            # replace the injection point with the payload
+                            data_xml = data_injected['__xml__']
+                            data_xml = data_xml.replace('*FUZZ*', value)
+
+                            r = requests.post(
+                                "http://" + self.host + self.action, 
+                                headers=self.headers, 
+                                data=data_xml,
+                                timeout=timeout,
+                                stream=stream
+                            )                            
+
+                        else:
+                            logging.error("Not injection point found !")
+                            exit(1)   
             else:
                 # String is immutable, we don't have to do a "forced" copy
                 regex = re.compile(param+"=(\w+)")

data/example.py

@@ -4,6 +4,7 @@
 
 from flask import Flask, abort, request 
 import json
+import re
 import subprocess
 
 app = Flask(__name__)
@@ -35,6 +36,19 @@ def ssrf3():
     content = command("curl {}".format(data.get('url')))
     return content
 
+# curl -X POST -H "Content-Type: application/xml" -d '<run><log encoding="hexBinary">4142430A</log><result>0</result><url>http://google.com</url></run>' http://127.0.0.1:5000/ssrf4
+@app.route("/ssrf4", methods=['POST'])
+def ssrf4():
+    data = request.data
+    print(data.decode())
+    regex = re.compile("url>(.*?)</url")
+    try:
+        url = regex.findall(data.decode())[0]
+        content = command("curl {}".format(url))
+        return content
+    except Exception as e:
+        return e
+
 def command(cmd):
 	proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
 	(out, err) = proc.communicate()

data/request4.txt

@@ -0,0 +1,9 @@
+POST /ssrf4 HTTP/1.1
+User-Agent: User-agent
+Host: 127.0.0.1:5000
+Connection: close
+Accept-Encoding: gzip, deflate
+Content-Type: application/xml
+Content-Length: 149
+
+<run><log encoding="hexBinary">4142430A</log><result>0</result><url>*FUZZ*</url></run>