Exploiting XInclude to retrieve files

Exploitation

the lab has a "check stock" feature that parses XML input

send to repeater

This application receive client-submitted data, embed it on the server-side into an XML document, and then parse the document

In this situation, you cannot carry out a classic XXE attack, because you don't control the entire XML document and so cannot define or modify a DOCTYPE element. However, you might be able to use XInclude instead.

XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.

To perform an XInclude attack, you need to reference the XInclude namespace and provide the path to the file that you wish to include. For example

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

so let's go to the "check store" request that we've sent to repeater and send the XInclude payload within the productId

productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1

and we have solved the lab

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara