Tags: sqli web xxe 


## Treasury #2
Before going forward, make sure to read the solution of `Treasury #1` since this part is pretty easy and just uses what we gathered in the first part.

### XXE
That being said, it is now obvious that we need to read the contents of `/flag`.
> Just if I could read files :(

Oh yes we can... XML provides us with the great feature of loading external resources using DocType Definitions (DTD), and this falls in the range of **XXE attacks** (XML eXternal Entity).

Here is the XML we'll be injecting to read the contents of `/flag` :

As you can see, we use a DOCTYPE definition and define `flag` as an entity that reads the `/flag` file, so when we issue `&flag;` in the `excerpt` tag, it will replace the `flag` "variable" with the contents of `/flag`. Let's see :
- **Query payload:** `' UNION SELECT ']><root><excerpt>&flag;</excerpt></root>`
- **Explanation:** nothing much to explain, we just inject the XML in the UNION query
- **Response:** `ASIS{03482b1821398ccb5214d891aed35dc87d3a77b2}`, we get the second **flag** as expected, **very COOL**.

Original writeup (https://github.com/malikDaCoda/CTFs-writeups/tree/master/web/ASIS%20CTF%20Quals%202020-Treasury).