BountyTips
XXE
Some methods to check XXE
vuln 1- Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
2- If svg allowed in picture upload , you can inject xml in svgs.
关键:允许上传SVG
CRLF
Some methods to check XXE
vuln 1- Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
2- If svg allowed in picture upload , you can inject xml in svgs.
关键:允许上传SVG