XXEinjector – Automatic XXE Injection Tool For Exploitation - Hacker10

Wednesday, 9 May 2018

XXEinjector – Automatic XXE Injection Tool For Exploitation

XXEinjector is a Ruby-based XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications and the brute forcing method needs to be used for other applications.


XXEinjector - Automatic XXE Injection Tool For Exploitation

Usage of XXEinjector XXE Injection Tool
XXEinjector actually has a LOT of options, so do have a look through to see how you can best leverage this type of attack. Obviously Ruby is a prequisite to run the tool.

If you aren’t familiar with XXE attacks you should start here first:

Usage examples for XXinjector

Enumerating /etc directory in HTTPS application:
Enumerating /etc directory using gopher for OOB method:
Second order exploitation:
Bruteforcing files using HTTP out of band method and netdoc protocol:
Enumerating using direct exploitation:
Enumerating unfiltered ports:
Stealing Windows hashes:
Uploading files using Java jar:
Executing system commands using PHP expect:
Testing for XSLT injection:
Log requests only:
You can download XXEinjector here: