Exploiting XInclude to retrieve files

Exploitation

the lab has a "check stock" feature that parses XML input

send to repeater

This application receive client-submitted data, embed it on the server-side into an XML document, and then parse the document

In this situation, you cannot carry out a classic XXE attack, because you don't control the entire XML document and so cannot define or modify a DOCTYPE element. However, you might be able to use XInclude instead.

XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.

To perform an XInclude attack, you need to reference the XInclude namespace and provide the path to the file that you wish to include. For example

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

so let's go to the "check store" request that we've sent to repeater and send the XInclude payload within the productId

productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1

and we have solved the lab

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousExploiting blind XXE to retrieve data via error messages NextExploiting XXE via image file upload

Last updated 2 years ago

Was this helpful?