XXExploiter - Tool to help exploit XXE vulnerabilities

Mar 24, 2020

XXExploiter generates the XML payloads, and automatically starts a server to serve the needed DTD's or to do data exfiltration.

IMPORTANT: This tool is still under development and although most of its features are already working, some may have not been tested properly.

Installation

#install node and npm if you don't have it yet 
npm install -g xxexploiter

Building and Running from source

This is a simple Node application written with typescript. So you can build it as you build other apps:
(install node and npm first, if you dont have them)

npm install  
npm run build  
#you may need to npm install tsc -g in order for 'npm build' to succeed 

To run the app you can do it with one of two ways:

npm start [args]  
node dist/index.js [args]  

Or you can install it on your system:

npm link

Usage

Usage: xxexploiter.ts [command] [options]

Commands:
  xxexploiter file [file_to_read]  Use XXE to read a file
  xxexploiter request [URL]        Use XXE to do a request
  xxexploiter expect [command]     Use XXE to execute a command through PHP's expect
  xxexploiter xee [expantions]     Generate a huge content by resolving entities

Fuzzing Specific Options
  -f, --fuzz            Enables fuzz options. Use {{FUZZ}} placeholder in....

Author

Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
SpirtualMan
1 year ago

Why do you introduce a tool and just copy the Readme from the repo? How about some additional instructions on how to use the tool!

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023