{"id":13539716,"url":"https://github.com/whitel1st/docem","last_synced_at":"2025-04-02T06:31:21.858Z","repository":{"id":43820202,"uuid":"167149496","full_name":"whitel1st/docem","owner":"whitel1st","description":"  A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files (oxml_xxe on steroids)","archived":false,"fork":false,"pushed_at":"2024-01-28T14:46:21.000Z","size":631,"stargazers_count":507,"open_issues_count":1,"forks_count":84,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-11-03T04:32:41.738Z","etag":null,"topics":["bugbounty","oxml","xss","xss-injection","xxe","xxe-injection"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/whitel1st.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-23T08:51:33.000Z","updated_at":"2024-10-22T09:56:55.000Z","dependencies_parsed_at":"2024-08-01T09:23:34.159Z","dependency_job_id":"b17b9051-ba91-45ec-b4f1-023a44349d41","html_url":"https://github.com/whitel1st/docem","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitel1st%2Fdocem","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitel1st%2Fdocem/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitel1st%2Fdocem/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitel1st%2Fdocem/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/whitel1st","download_url":"https://codeload.github.com/whitel1st/docem/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767898,"owners_count":20830574,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","oxml","xss","xss-injection","xxe","xxe-injection"],"created_at":"2024-08-01T09:01:30.815Z","updated_at":"2025-04-02T06:31:16.848Z","avatar_url":"https://github.com/whitel1st.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"783f861b9f822127dba99acb55687cbb\"\u003e\u003c/a\u003e工具","Weapons","Exploitation"],"sub_categories":["\u003ca id=\"80301821d0f5d8ec2dd3754ebb1b4b10\"\u003e\u003c/a\u003ePayload\u0026\u0026远控\u0026\u0026RAT","\u003ca id=\"6602e118e0245c83b13ff0db872c3723\"\u003e\u003c/a\u003e未分类-payload","Tools","XSS Injection","XXE Injection"],"readme":"\n```\n_|_|_|                                                  \n_|    _|    _|_|      _|_|_|    _|_|    _|_|_|  _|_|    \n_|    _|  _|    _|  _|        _|_|_|_|  _|    _|    _|  \n_|    _|  _|    _|  _|        _|        _|    _|    _|  \n_|_|_|      _|_|      _|_|_|    _|_|_|  _|    _|    _|\n\nversion 1.5\n```\n\n\nA utility to embed XXE and XSS payloads in docx, odt, pptx, etc - any documents that is a zip archive with bunch of xml files inside.\n\nThis tool is a side-project of a colloborative research of document's internal structure with [ShikariSenpai](https://twitter.com/ShikariSenpai) and [ansjdnakjdnajkd](https://twitter.com/ansjdnakjdnajkd) \n\n\n## What it is all about\n\nA lot of common document formats, such as doc,docx,odt,etc are just a zip files with a few xml files inside.\n\n![diag0](pics/diag0.png \"diag0\")\n\nSo why don't we try to embed XXE payloads in them?  \nThat was done in a great [research](http://oxmlxxe.github.io/reveal.js/slides.html#/) by Will Vandevanter (`_will_is`)\nTo create such documents with embedded payloads there is a famous tool called [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe). \n\nBut. It is not convenient to use `oxml_xxe` when you need to create hundreds of documents with payloads in different places.\nSo there it goes - Docem.\n\nIt works like that: You specify sample document - that is a doc that contains `magic_symbols` (in illustrations it is marked as `፨` (in program it is constant `XXCb8bBA9XX`)) that will be replaced by a XXE or XSS payload.\n\nAlso there are three different types of `payload_type` - every type determines how every `magic_symbol` will be processed for a given file in a document.\nEvery `payload_type` described in a section `Usage`.\nHere is a small scheme of how this works:\n\n![diag1](pics/diag1.png \"diag1\")\n\nPayload modes\n\n![diag2](pics/diag2.png \"diag1\")\n\nProgramm interface\n\n![screenshot](pics/screenshot.png \"screenshot\")\n\n\n## Install \n\n```bash\npip3 install -r requirements.txt\n```\n\n## Usage Docem\n\n```\npython3 docem.py --help\n```\n\n\n- required args\n\t- `-s` - path to a `sample file` or a `sample directory`. That sample will be used to create a document with an attacking vector.\n\t- `-pt` - payload type\n\t\t- `xss` - XSS - Cross Site Scripting \n\t\t- `xxe` - XXE - External XML Entity \n- optional\n\t- `-pm` - payload mode\n\t\t- `per_document` - (default mode) for every payload, embed payload in all places in all files and create new document\n\t\t- `per_file` - for every payload, for every file inside a document, for all places inside a file embed a payload and create a new document\n\t\t- `per_place` - for every payload, for every place in every file, embed a payload and create a new doc\n\t- `-pf` - payload file\n\t- `-sx ` - sample extension - used when sample is a directory\n\t- `-h` - print help\n\nExamples \n```bash\n./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xxe -pf payloads/xxe_special_6.txt -pm per_document -sx docx\n./docem.py -s samples/marked/docx_sample_oxml_xxe_mod1/ -pt xxe -pf payloads/xxe_special_1.txt -pm per_file -sx docx\n./docem.py -s samples/marked/sample_oxml_xxe_mod1.docx -pt xxe -pf payloads/xxe_special_2.txt -pm per_place\n./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xss -pf payloads/xss_tiny.txt -pm per_place -sx docx\n```\n\nAn equivalent to a `docx` file created by `oxml_xxe`. The command bellow will create docx files with embedded XXE payloads.\n```bash\n./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xss -pf payloads/xxe_special_6.txt -pm per_document -sx docx\n```\n\nTool output is saved under `./tmp/` folder\n\n\n## How to create custom sample\n\n\n### Via new folder sample\n\n\n1. Unzip your document `new_sample_from_folder.docx` to a folder `new_sample_from_folder/` or use already existing clear sample by coping it from `samples/clear/\u003csample_name\u003e` to `samples/marked/new_sample_from_folder/`\n2. Add magic symbols - `XXCb8bBA9XX` (depicted as `፨` in illustrations of this readme) in places where you want payloads to be embedded\n3. Use new sample with the tool as `-s samples/new_sample_from_folder/ -sx docx`\n\n\n### Via new file sample\n\n1. Add magic symbols (`XXCb8bBA9XX`) to various places in you custom document `new_sample.docx` \n2. Use new sample as `-s new_sample.docx`\n\n\n## Payload file formats used in the tool\n\n### XSS payloads\n\nFormat: TXT file that contains list strings. Example:\n```\n\u003csvg/src=x/onerror=alert(1)\u003e\n\u003cxss onafterscriptexecute=alert(1)\u003e\u003cscript\u003e1\u003c/script\u003e\n```\n\n### XXE payloads\n\nTools uses **Special format** for XXE payloads. If you want to add additional payloads, please use an example bellow as a reference.\n\nFormat: TXT file that contains list dictionaries. Example\n\n\n```\n{\"vector\":\"\u003c!DOCTYPE docem [\u003c!ENTITY xxe_canary_0 \\\"XXE_STRING\\\"\u003e]\u003e\",\"reference\":\"\u0026xxe_canary_0;\"}\n{\"vector\":\"\u003c!DOCTYPE docem [\u003c!ELEMENT docem ANY \u003e\u003c!ENTITY xxe_canary_2 SYSTEM \\\"file:///etc/lsb-release\\\"\u003e]\u003e\",\"reference\":\"\u0026xxe_canary_2;\"}\n```\n\n- `vector` - required key word - script will be searching for it \n- `\u003c!DOCTYPE docem [\u003c!ENTITY xxe_canary_0 \\\"XXE_STRING\\\"\u003e]\u003e` - payload. Warning all double quotation marks `\"` must be escaped with one backslash `\\` =\u003e `\\\"`\n- `reference` - required key word - script will be searching for it \n- `\u0026xxe_canary_0;` - reference that will be add in all places with magic symbol \n\n\n## Features and ToDo\n\n- Features\n\t- [x] Read file with payloads\n\t\t- [x] XXE custom payload file\n\t\t- [x] XSS payload file\n- ToDo\n\t- [x] Add ability to embed not only in xml but in unzip file also\n\t- [ ] Add flag to specify custom url to use in XXE\n\t- [ ] Add flag to specify custom url to use in XSS\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwhitel1st%2Fdocem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwhitel1st%2Fdocem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwhitel1st%2Fdocem/lists"}