Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2026-04-19 13:34:25 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #824 from noraj/patch-2

Browse source 
XXE zip recompression tips
This commit is contained in:
Swissky 2026-03-16 14:57:15 +01:00 committed by GitHub
commit f695b0a527
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
XXE Injection/README.md
View file

@ -591,7 +591,7 @@ cd XXE
zip -r -u ../xxe.xlsx * zip -r -u ../xxe.xlsx *
``` ```
Warning: Use `zip -u` (<https://infozip.sourceforge.net/Zip.html>) and not `7z u` / `7za u` (<https://p7zip.sourceforge.net/>) or `7zz` (<https://www.7-zip.org/>) because they won't recompress it the same way and many Excel parsing libraries will fail to recognize it as a valid Excel file. A valid magic byte signature with (`file XXE.xlsx`) will be shown as `Microsoft Excel 2007+` (with `zip -u`) and an invalid one will be shown as `Microsoft OOXML`. Warning: Use `zip -u` (<https://infozip.sourceforge.net/Zip.html>) and not `7z u` / `7za u` (<https://p7zip.sourceforge.net/>) or `7zz` (<https://www.7-zip.org/>) because they won't recompress it the same way and many Excel parsing libraries will fail to recognize it as a valid Excel file. A valid magic byte signature with (`file XXE.xlsx`) will be shown as `Microsoft Excel 2007+` (with `zip -u`) and an invalid one will be shown as `Microsoft OOXML`. Alternatively, with 7z you can specify the correct compression algorithm with: `7z a -tzip` to get the correct signature.
Add your blind XXE payload inside `xl/workbook.xml`. Add your blind XXE payload inside `xl/workbook.xml`.