Exploiting XXE/XMl by BlindRef tool

BlindRef is a tool for Blind XML External Entity (XXE) Injection. BlindRef is an infantile projectthat has much to learn,but in its current state serves as a research base while conducting web application assessments. XXE Injection can occur when XML parsers are overly permissive in their configurations and allow for the processing of external XML entities. These external entities can reference files on the local file system or even share drives. The successful exploitation of XXE can result in the ability to compromise sensitive configuration files, the mapping of internal networks, and even the sending of email. Requirements for the Attack: 1. Burpsuite Professional 2. BlindRef tool Preparing For Attack 1. git clone https://github.com/ptonewreckin/BlindRef.git in whatever directory you like 2. cd Blindref 3. chmod +x BlindRef_Attacker.py Usage: BlindRef_Attacker.py -s serverURL -p serverPort -r webRequest How to use: Note: the following usage is only applicable if the website is vulnerable to XML/XXE injection To use BlindRef in the most effective manner, the following steps are recommended: 1. Open Burpsuite professional and Fire up a proxy of your choosing 2. Go to your target website login site And enter any credential

3. Capture the login request 4. Convert the request into a python friendly request (using requests library)

5. Save your clipboard as a file of your choosing. [For demonstration purposes we will use sampleRequest.py] 6. Modify the request by including the BLINDREF tag within the vulnerable parameter

7. BlindRef then automates the process of enumerating files of the hosting application server by iterating through payloads within the 'BLINDREF' tag. Note: In its current state, BlindRef does not actively detect XXE vulnerabilities. It requires you to first determine an effective payload position. This will of course change in the future but hey, it's a start. The operation has two components - BlindRefServer and BlindRefAttacker BlindRef_Server: The 'brain' of the operation that hosts and serves entities to the vulnerable web application. BlindRefAttacker: Instantiates requests to the vulnerable web server to kick off requests for entities hosted on the BlindRefServer. As I mentioned above in the usage category Type BlindRef_Attacker.py -s serverURL -p serverPort -r webRequest