Exploiting an XML External Entity Injection
XML (Extensible Markup Language) is a format that is mainly used to describe the structure of documents or data; HTML, for example, is an implementation of XML which defines structure and format of pages and relations among them.
XML entities are similar to data structures that are defined inside an XML structure and some of them have the ability to read files from the system or even execute commands.
In this recipe, we will exploit an XML External Entity (XEE) Injection vulnerability to reach code execution in the server.
Getting ready
It is suggested that you follow the Abusing file inclusions and uploads recipe before doing this.
How to do it...
Browse to
http://192.168.56.102/mutillidae/index.php?page=xml-validator.php
.It says that it is an XML validator; let's try to submit the example test and see what happens. In the XML box, put
<somexml><message>Hello World</message></somexml>
and click on Validate XML:Now, let's see...