Need a demo!!

Question

Need a demo!!

Closed this issue 8 years ago · 1 comments

Hi there!! I am mew in XXE. I just want to know what should I put in that req.txt file Captured HTTP Requests or anything else.

Answer 1 · 2016-08-20T19:18:15.000Z

Hello,

Request file is just valid HTTP request with XML somewhere (parameter,
whole body, etc.). If XML is already in the request file then tool
automatically detects it and injects DTD to exploit vulnerability. You can
also specify XXEINJECT mark where DTD should be injected and tool will
replace it with proper payload. If you want to manually put DTD in request
file and you do not want to automatically detect and inject payload then
you need to specify --nodtd argument. Please note that if you put DTD
manually then it needs to be specified correctly. You can run tool with
--dtd argument to see how DTD should look like.

Sample request file where tool injects payload automatically:

POST /xxe.php HTTP/1.1
Host: asd

xml=

Sample request file where tool will inject DTD in specified place:

POST /xxe.php HTTP/1.1
Host: asd

xml=XXEINJECT

Sample request file with payload manually injected according to --dtd. You
need to specify --nodtd as parameter to disable automatic payload injection:

POST /xxe.php HTTP/1.1
Host: asd

xml=%remote;%int;%trick;]>

regards
JP

2016-08-20 20:33 GMT+02:00 Rajesh Majumdar notifications@github.com:

Hi there!! I am mew in XXE. I just want to know what should I put in that
req.txt file Captured HTTP Requests or anything else.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#1, or mute the thread
https://github.com/notifications/unsubscribe-auth/AL5OYPSfoszB0aqzF6e66RFCwGPDRT0hks5qh0higaJpZM4JpIm7
.