XXEinjector Cheat Sheet: Every Flag I Actually Use
A field reference for XXEinjector: target options, request file format with the XXEINJECT marker, OOB and direct modes, PHP filter wrappers, file enumeration, logging, and custom listeners. Grouped by what you are trying to do.
XXEinjector is a Ruby tool that automates XML External Entity exploitation: target a request file with an XXEINJECT marker, point the tool at a callback host, and it handles the entity dance, the listener, and the file enumeration. This is the field reference for the flags I actually reach for, grouped by task.
--host=192.168.1.10Your callback host. The IP the target will reach back to for OOB. Must be reachable from the target.
--httpport=80HTTP listener port for OOB callbacks. Defaults to 80. Match this to the port your DTD references.
--sslSend the target request over HTTPS instead of HTTP. Use when the target endpoint only accepts TLS.
--ftpport=21FTP listener port for OOB exfil of files containing newlines or characters HTTP mangles.
--gopherport=70Gopher listener port. Niche, only relevant when --oob=gopher.
--path=/var/wwwRemote starting path for directory brute or file enumeration.
--file=request.txtHTTP request template containing the XXEINJECT marker where the payload should be inserted.
Mode
--oob=httpOut-of-band exfil over HTTP. The default and most reliable mode when the target can make outbound connections.
--oob=ftpOOB exfil over FTP. Use for files with binary or whitespace content that HTTP query strings cannot carry cleanly.
--oob=gopherOOB over gopher. Niche, but works on a few stacks where HTTP and FTP egress are filtered.
--direct=UNIQUEMARKSTART,UNIQUEMARKENDIn-band mode. Pass two unique marker strings; XXEinjector extracts everything between them from the response. Use when the target reflects parsed XML back to the client.
--cdataWrap the entity in a CDATA construction for direct exploitation. Helps when the file body contains XML-breaking characters.
--2ndfile=req2.txtSecond-order injection: pair the primary request with a follow-up request that triggers the entity expansion.
--brute=files.txtDirectory and file brute mode. Tries each path from the wordlist and reports the ones the parser can read.
Wrappers and encoding
--phpfilterWrap reads through php://filter/convert.base64-encode. Survives source files with XML-breaking characters and discloses PHP source on PHP targets.
--netdocUse the netdoc:// protocol instead of file:// on Java targets. Bypasses some Java URL handlers that block file://.
--enumports=80,443,8080Internal port scan via blind XXE. Times the parser response per port.
--hashesSteal Windows NTLM hashes by triggering an outbound SMB authentication via the entity.
--expectUse the PHP expect:// wrapper when present. Lets you push commands through the parser on misconfigured PHP.
--xsltTest for XSLT injection rather than entity injection. Same tool plumbing, different bug class.
--uploadUpload files to the target via Java's jar:// schema. Specific to Java parsers.
File enumeration
--file=req.txt + manual entitySingle-file read. Put the target path directly in the entity inside your request template.
--brute=files.txtIterate paths from a wordlist through the entity. Use a list of likely paths (config files, sources) to enumerate readable files in one run. Pair with --phpfilter for source disclosure across an app tree.
--brute=dirs.txt + --path=/Brute directories from the wordlist starting at --path. Combine with --brute on filenames for full tree enumeration.
Logging, output, transport
--loggerWrite every request and response to a log file in the output directory. Keeps an audit trail for the report.
--verbosePrint every payload, every callback, and every parsed response to stdout. First thing I turn on when something is not working.
--output=loot/Where retrieved files and logs land. Default is the current directory.
--proxy=http://127.0.0.1:8080Route the outbound HTTP request through a proxy (Burp on 8080) for inspection.
--timeout=30Per-request timeout in seconds.
--contimeout=30Connection-establishment timeout, separate from --timeout.
--urlencodeURL-encode the entity payload before sending. Bypasses filters that strip raw < and &.
--testDry-run mode. Prints the payload that would be sent without firing the request.
Listeners
(built-in listener)By default XXEinjector spins up its own HTTP and FTP listeners on --httpport and --ftpport. No extra setup needed for OOB.
Own listener (manual)If you prefer your own catcher (ncat, a Python http.server, Interactsh), bind it to the chosen port and skip the built-in by not running in OOB mode for that step.
Target and request file
--host=192.168.1.10Your callback host. The IP the target will reach back to for OOB. Must be reachable from the target.
--httpport=80HTTP listener port for OOB callbacks. Defaults to 80. Match this to the port your DTD references.
--sslSend the target request over HTTPS instead of HTTP. Use when the target endpoint only accepts TLS.
--ftpport=21FTP listener port for OOB exfil of files containing newlines or characters HTTP mangles.
--gopherport=70Gopher listener port. Niche, only relevant when --oob=gopher.
--path=/var/wwwRemote starting path for directory brute or file enumeration.
--file=request.txtHTTP request template containing the XXEINJECT marker where the payload should be inserted.
Wrappers and encoding
--phpfilterWrap reads through php://filter/convert.base64-encode. Survives source files with XML-breaking characters and discloses PHP source on PHP targets.
--netdocUse the netdoc:// protocol instead of file:// on Java targets. Bypasses some Java URL handlers that block file://.
--enumports=80,443,8080Internal port scan via blind XXE. Times the parser response per port.
--hashesSteal Windows NTLM hashes by triggering an outbound SMB authentication via the entity.
--expectUse the PHP expect:// wrapper when present. Lets you push commands through the parser on misconfigured PHP.
--xsltTest for XSLT injection rather than entity injection. Same tool plumbing, different bug class.
--uploadUpload files to the target via Java's jar:// schema. Specific to Java parsers.
Listeners
(built-in listener)By default XXEinjector spins up its own HTTP and FTP listeners on --httpport and --ftpport. No extra setup needed for OOB.
Own listener (manual)If you prefer your own catcher (ncat, a Python http.server, Interactsh), bind it to the chosen port and skip the built-in by not running in OOB mode for that step.
Mode
--oob=httpOut-of-band exfil over HTTP. The default and most reliable mode when the target can make outbound connections.
--oob=ftpOOB exfil over FTP. Use for files with binary or whitespace content that HTTP query strings cannot carry cleanly.
--oob=gopherOOB over gopher. Niche, but works on a few stacks where HTTP and FTP egress are filtered.
--direct=UNIQUEMARKSTART,UNIQUEMARKENDIn-band mode. Pass two unique marker strings; XXEinjector extracts everything between them from the response. Use when the target reflects parsed XML back to the client.
--cdataWrap the entity in a CDATA construction for direct exploitation. Helps when the file body contains XML-breaking characters.
--2ndfile=req2.txtSecond-order injection: pair the primary request with a follow-up request that triggers the entity expansion.
--brute=files.txtDirectory and file brute mode. Tries each path from the wordlist and reports the ones the parser can read.
File enumeration
--file=req.txt + manual entitySingle-file read. Put the target path directly in the entity inside your request template.
--brute=files.txtIterate paths from a wordlist through the entity. Use a list of likely paths (config files, sources) to enumerate readable files in one run. Pair with --phpfilter for source disclosure across an app tree.
--brute=dirs.txt + --path=/Brute directories from the wordlist starting at --path. Combine with --brute on filenames for full tree enumeration.
Logging, output, transport
--loggerWrite every request and response to a log file in the output directory. Keeps an audit trail for the report.
--verbosePrint every payload, every callback, and every parsed response to stdout. First thing I turn on when something is not working.
--output=loot/Where retrieved files and logs land. Default is the current directory.
--proxy=http://127.0.0.1:8080Route the outbound HTTP request through a proxy (Burp on 8080) for inspection.
--timeout=30Per-request timeout in seconds.
--contimeout=30Connection-establishment timeout, separate from --timeout.
--urlencodeURL-encode the entity payload before sending. Bypasses filters that strip raw < and &.
--testDry-run mode. Prints the payload that would be sent without firing the request.
Target and request file
--host=192.168.1.10Your callback host. The IP the target will reach back to for OOB. Must be reachable from the target.
--httpport=80HTTP listener port for OOB callbacks. Defaults to 80. Match this to the port your DTD references.
--sslSend the target request over HTTPS instead of HTTP. Use when the target endpoint only accepts TLS.
--ftpport=21FTP listener port for OOB exfil of files containing newlines or characters HTTP mangles.
--gopherport=70Gopher listener port. Niche, only relevant when --oob=gopher.
--path=/var/wwwRemote starting path for directory brute or file enumeration.
--file=request.txtHTTP request template containing the XXEINJECT marker where the payload should be inserted.
Wrappers and encoding
--phpfilterWrap reads through php://filter/convert.base64-encode. Survives source files with XML-breaking characters and discloses PHP source on PHP targets.
--netdocUse the netdoc:// protocol instead of file:// on Java targets. Bypasses some Java URL handlers that block file://.
--enumports=80,443,8080Internal port scan via blind XXE. Times the parser response per port.
--hashesSteal Windows NTLM hashes by triggering an outbound SMB authentication via the entity.
--expectUse the PHP expect:// wrapper when present. Lets you push commands through the parser on misconfigured PHP.
--xsltTest for XSLT injection rather than entity injection. Same tool plumbing, different bug class.
--uploadUpload files to the target via Java's jar:// schema. Specific to Java parsers.
Listeners
(built-in listener)By default XXEinjector spins up its own HTTP and FTP listeners on --httpport and --ftpport. No extra setup needed for OOB.
Own listener (manual)If you prefer your own catcher (ncat, a Python http.server, Interactsh), bind it to the chosen port and skip the built-in by not running in OOB mode for that step.
Mode
--oob=httpOut-of-band exfil over HTTP. The default and most reliable mode when the target can make outbound connections.
--oob=ftpOOB exfil over FTP. Use for files with binary or whitespace content that HTTP query strings cannot carry cleanly.
--oob=gopherOOB over gopher. Niche, but works on a few stacks where HTTP and FTP egress are filtered.
--direct=UNIQUEMARKSTART,UNIQUEMARKENDIn-band mode. Pass two unique marker strings; XXEinjector extracts everything between them from the response. Use when the target reflects parsed XML back to the client.
--cdataWrap the entity in a CDATA construction for direct exploitation. Helps when the file body contains XML-breaking characters.
--2ndfile=req2.txtSecond-order injection: pair the primary request with a follow-up request that triggers the entity expansion.
--brute=files.txtDirectory and file brute mode. Tries each path from the wordlist and reports the ones the parser can read.
File enumeration
--file=req.txt + manual entitySingle-file read. Put the target path directly in the entity inside your request template.
--brute=files.txtIterate paths from a wordlist through the entity. Use a list of likely paths (config files, sources) to enumerate readable files in one run. Pair with --phpfilter for source disclosure across an app tree.
--brute=dirs.txt + --path=/Brute directories from the wordlist starting at --path. Combine with --brute on filenames for full tree enumeration.
Logging, output, transport
--loggerWrite every request and response to a log file in the output directory. Keeps an audit trail for the report.
--verbosePrint every payload, every callback, and every parsed response to stdout. First thing I turn on when something is not working.
--output=loot/Where retrieved files and logs land. Default is the current directory.
--proxy=http://127.0.0.1:8080Route the outbound HTTP request through a proxy (Burp on 8080) for inspection.
--timeout=30Per-request timeout in seconds.
--contimeout=30Connection-establishment timeout, separate from --timeout.
--urlencodeURL-encode the entity payload before sending. Bypasses filters that strip raw < and &.
--testDry-run mode. Prints the payload that would be sent without firing the request.
XXEinjector expects a raw HTTP request file with one placeholder. The marker XXEINJECT (uppercase, no braces) is where the tool splices the entity payload. Everything else, method line, headers, cookies, body, is sent verbatim. Here is a typical POST:
No annotations beyond the marker. Capture the request the same way you would for sqlmap: DevTools, copy as cURL, paste into a text file, replace the entity declaration with XXEINJECT. The full capture flow is the same one I walk through in the sqlmap cheat sheet.
Direct (in-band) mode when the application echoes parsed XML back in the response. No callback required, the response itself carries the file. --direct takes two unique marker strings; XXEinjector extracts everything between them from the response:
The textbook recursive parameter-entity chains in older XXE writeups (the classic % indirection to pull a remote DTD that defines another entity that exfils a file) often fail against modern libxml2. From libxml2 2.9.4 onward, network access for external entities is off by default and several recursive-PE constructions are rejected outright. XXEinjector is still useful on these stacks: direct external entity loads to your callback host still work where the parser allows network entities at all, --phpfilter source disclosure still works against unhardened PHP parsers, and many shipping applications still run older libxml2 or have explicitly re-enabled the unsafe behavior. Expect a hardened modern parser to defeat the classic chained payload, and reach for direct OOB or --phpfilter first when probing.
Every flag above is dual use. Use these against systems you own or are explicitly authorised to test. The XML External Entity deep dive covers the legal and disclosure framing.
Sources
Authoritative references this article was fact-checked against.
Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.
A field-tested fuxploider reference: target shaping, true/false response detection, extension fuzzing, cookies and headers, proxying, threading, and what to do once a webshell uploads. Grounded in the real argparse surface.
A field-tested LFImap reference: target selection, traversal wordlists, PHP wrappers (filter/input/data/expect/file), command injection, RFI, log/proxy/cookie shaping, second-order requests, and the `PWN` placeholder. Grounded in the real argparse surface.
