I’m doing security research and I’m trying to create a Ruby script
vulnerable to XXE
I’ve got the following XML which should replace &xxe with the contents
of the passwd file if the script is vulnerable
xml_data = '<?xml version="1.0"?><!DOCTYPE demo [ ]> &xxe; '
From what I’ve read it is the libxml2 options that are protecting the
script so with Nokogiri I’ve tried forcing the options down to just
RECOVER but that doesn’t work, I can’t even get basic entity
doc = Nokogiri::XML.parse(xml_data, nil, nil,
I’ve also tried with REXML, here the basic entity replacement works
but I can’t find how to set the parse options.
doc = REXML::Document.new(xml_data)
doc.elements.each(‘a/inject’) do |ele|
Finally I’ve tried setting up a vulnerable environment with the
versions and code from this example but this returns nothing
What am I doing wrong? If there is a better way to do this then feel
free to suggest it, I’m not tied to any either of these ways just need
a way to practice exploitation of this vulnerability.