XXEinjector – Automatic XXE Injection Tool For Exploitation

The New Acunetix V12 Engine


XXEinjector is a Ruby-based XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications and the brute forcing method needs to be used for other applications.

XXEinjector - Automatic XXE Injection Tool For Exploitation


Usage of XXEinjector XXE Injection Tool

XXEinjector actually has a LOT of options, so do have a look through to see how you can best leverage this type of attack. Obviously Ruby is a prequisite to run the tool.

If you aren’t familiar with XXE attacks you should start here first:

XXE Injection Attacks – XML External Entity Vulnerability With Examples

Usage examples for XXinjector

Enumerating /etc directory in HTTPS application:

Enumerating /etc directory using gopher for OOB method:

Second order exploitation:

Bruteforcing files using HTTP out of band method and netdoc protocol:

Enumerating using direct exploitation:

Enumerating unfiltered ports:

Stealing Windows hashes:

Uploading files using Java jar:

Executing system commands using PHP expect:

Testing for XSLT injection:

Log requests only:

You can download XXEinjector here:

XXEinjector-master.zip

Or read more here.

Posted in: Hacking Tools

,


Latest Posts:


NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.


Comments are closed.