Tags: phar xxe svg 

Rating: 5.0

# TL;DR #

This challenge was about exploiting an `XXE` through an `SVG`, then invoke a `PHP Object Injection` through the `XXE` using `phar://` and finally get `RCE`.

https://jbzteam.github.io/midnightsunctfquals2019/Rubenscube

rnehra01 – April 9, 2019, 8:47 a.m.

In the final payload, you used `/<phar_file_name>.jpg"> %data;`.Any idea why `/<phar_file_name>.jpg"> ` doesn't work?