Recently, XML parser have kind of gone out of fashion and they are being replaced with other types of data formats such as JSON. Still we need to consider our every XML parser to possibly be vulnerable to XML external entity attacks. In modern libraries, the loading of external entities is disabled by default but we can still re-enable this. Even just for testing it might be enabled but forgetting to disable it then could have disastrous consequences.
Attacks might occur on to retrieve files or even execute remote code.
THE SERVER GETS ERASED EVERY 24 HOURS
Create a file on the server with the following content. Name it anything you'd like, just remember the name for later.
<?php
//This makes XXE possible
libxml_disable_entity_loader (false);
//Grab the input sent to the PHP file (POST body)
$xmlfile = file_get_contents('php://input');
//Create a new DOM document to send the XML to
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
//Grab the data from the file
$cheese = simplexml_import_dom($dom);
$cheeseType = $cheese->cheeseType;
if($cheeseType==""){
echo "Please make a POST request with the following data\\<br><br><cheese><br>
<cheeseType>Test</cheeseType><br>
</cheese>";
}else{
echo "I also LOVEEEE $cheeseType";
}
?>
Make sure to replace the "FILE.php" with the filename of your own file:
<form id="comment_form" action="FILE.php" method="GET">
To hack this site, we are going to use postman so we can get farmiliar with it as well. https://www.postman.com/downloads/
If you want to know the whole story you can watch my video playlist on youtube explaining postman in depth.
**https://youtu.be/rdxVgV8dOnQ**
We will first make a new collection and add a new request to it.
In our request we are going to make a POST request to our file with the following data: