Online PHP editor | refs for fpedv

<?php $xml = <<<XML <!DOCTYPE root [ <!ENTITY attack SYSTEM "config/config.ini"> <!ENTITY ent SYSTEM "entities/ent.txt"> ]> <xml> &attack; &ent; </xml> XML; // emulate existing local file mkdir('/tmp/entities/'); file_put_contents('/tmp/entities/ent.txt', 'OK ENTITY'); libxml_set_external_entity_loader( function (?string $public, ?string $system, array $context) { $path = realpath('/tmp' . $system); if ($public === null && $path !== null && str_starts_with($path, '/tmp/entities/')) { $resolved = file_get_contents('/tmp' . $system); } else { $resolved = 'nice try but no'; } $f = fopen('php://temp', 'r+'); fwrite($f, $resolved); rewind($f); return $f; } ); $doc = new DOMDocument; $doc->loadXML($xml, LIBXML_NOENT); echo $doc->saveXML(); ?>