Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/whitel1st/docem

A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files (oxml_xxe on steroids)
https://github.com/whitel1st/docem

bugbounty oxml xss xss-injection xxe xxe-injection

Last synced: about 1 month ago
JSON representation

A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files (oxml_xxe on steroids)

Awesome Lists containing this project

README 

        

```

_|_|_|                                                  

_|    _|    _|_|      _|_|_|    _|_|    _|_|_|  _|_|    

_|    _|  _|    _|  _|        _|_|_|_|  _|    _|    _|  

_|    _|  _|    _|  _|        _|        _|    _|    _|  

_|_|_|      _|_|      _|_|_|    _|_|_|  _|    _|    _|



version 1.5

```



A utility to embed XXE and XSS payloads in docx, odt, pptx, etc - any documents that is a zip archive with bunch of xml files inside.



This tool is a side-project of a colloborative research of document's internal structure with [ShikariSenpai](https://twitter.com/ShikariSenpai) and [ansjdnakjdnajkd](https://twitter.com/ansjdnakjdnajkd) 



## What it is all about



A lot of common document formats, such as doc,docx,odt,etc are just a zip files with a few xml files inside.



![diag0](pics/diag0.png "diag0")



So why don't we try to embed XXE payloads in them?  

That was done in a great [research](http://oxmlxxe.github.io/reveal.js/slides.html#/) by Will Vandevanter (`_will_is`)

To create such documents with embedded payloads there is a famous tool called [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe). 



But. It is not convenient to use `oxml_xxe` when you need to create hundreds of documents with payloads in different places.

So there it goes - Docem.



It works like that: You specify sample document - that is a doc that contains `magic_symbols` (in illustrations it is marked as `፨` (in program it is constant `XXCb8bBA9XX`)) that will be replaced by a XXE or XSS payload.



Also there are three different types of `payload_type` - every type determines how every `magic_symbol` will be processed for a given file in a document.

Every `payload_type` described in a section `Usage`.

Here is a small scheme of how this works:



![diag1](pics/diag1.png "diag1")



Payload modes



![diag2](pics/diag2.png "diag1")



Programm interface



![screenshot](pics/screenshot.png "screenshot")



## Install 



```bash

pip3 install -r requirements.txt

```



## Usage Docem



```

python3 docem.py --help

```



- required args

	- `-s` - path to a `sample file` or a `sample directory`. That sample will be used to create a document with an attacking vector.

	- `-pt` - payload type

		- `xss` - XSS - Cross Site Scripting 

		- `xxe` - XXE - External XML Entity 

- optional

	- `-pm` - payload mode

		- `per_document` - (default mode) for every payload, embed payload in all places in all files and create new document

		- `per_file` - for every payload, for every file inside a document, for all places inside a file embed a payload and create a new document

		- `per_place` - for every payload, for every place in every file, embed a payload and create a new doc

	- `-pf` - payload file

	- `-sx ` - sample extension - used when sample is a directory

	- `-h` - print help



Examples 

```bash

./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xxe -pf payloads/xxe_special_6.txt -pm per_document -sx docx

./docem.py -s samples/marked/docx_sample_oxml_xxe_mod1/ -pt xxe -pf payloads/xxe_special_1.txt -pm per_file -sx docx

./docem.py -s samples/marked/sample_oxml_xxe_mod1.docx -pt xxe -pf payloads/xxe_special_2.txt -pm per_place

./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xss -pf payloads/xss_tiny.txt -pm per_place -sx docx

```



An equivalent to a `docx` file created by `oxml_xxe`. The command bellow will create docx files with embedded XXE payloads.

```bash

./docem.py -s samples/marked/docx_sample_oxml_xxe_mod0/ -pt xss -pf payloads/xxe_special_6.txt -pm per_document -sx docx

```



Tool output is saved under `./tmp/` folder



## How to create custom sample



### Via new folder sample



1. Unzip your document `new_sample_from_folder.docx` to a folder `new_sample_from_folder/` or use already existing clear sample by coping it from `samples/clear/` to `samples/marked/new_sample_from_folder/`

2. Add magic symbols - `XXCb8bBA9XX` (depicted as `፨` in illustrations of this readme) in places where you want payloads to be embedded

3. Use new sample with the tool as `-s samples/new_sample_from_folder/ -sx docx`



### Via new file sample



1. Add magic symbols (`XXCb8bBA9XX`) to various places in you custom document `new_sample.docx` 

2. Use new sample as `-s new_sample.docx`



## Payload file formats used in the tool



### XSS payloads



Format: TXT file that contains list strings. Example:

```



1

```



### XXE payloads



Tools uses **Special format** for XXE payloads. If you want to add additional payloads, please use an example bellow as a reference.



Format: TXT file that contains list dictionaries. Example



```

{"vector":"]>","reference":"&xxe_canary_0;"}

{"vector":"]>","reference":"&xxe_canary_2;"}

```



- `vector` - required key word - script will be searching for it 

- `]>` - payload. Warning all double quotation marks `"` must be escaped with one backslash `\` => `\"`

- `reference` - required key word - script will be searching for it 

- `&xxe_canary_0;` - reference that will be add in all places with magic symbol 



## Features and ToDo



- Features

	- [x] Read file with payloads

		- [x] XXE custom payload file

		- [x] XSS payload file

- ToDo

	- [x] Add ability to embed not only in xml but in unzip file also

	- [ ] Add flag to specify custom url to use in XXE

	- [ ] Add flag to specify custom url to use in XSS