> For the complete documentation index, see [llms.txt](https://sayonara.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sayonara.gitbook.io/writeups/portswigger/xxe-xml-external-entities/exploiting-xinclude-to-retrieve-files.md).

# Exploiting XInclude to retrieve files

<div align="left"><figure><img src="/files/rJeMoKKNYvJV3CgdbabX" alt=""><figcaption></figcaption></figure></div>

## <mark style="color:red;">Exploitation</mark>

the lab has a "check stock" feature that parses XML input

<div align="left"><figure><img src="/files/hMgcPHeyihmjdoN55g6p" alt=""><figcaption></figcaption></figure></div>

send to repeater

<div align="left"><figure><img src="/files/KNimm4x6KMQrAoUiaP75" alt=""><figcaption></figcaption></figure></div>

This application **receive client-submitted data, embed it on the server-side into an XML document, and then parse the document**

In this situation, you cannot carry out a classic XXE attack, because **you don't control the entire XML** document and so cannot define or modify a `DOCTYPE` element. However, you might be able to use `XInclude` instead.

`XInclude` is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an `XInclude` attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.

To perform an `XInclude` attack, you need to reference the `XInclude` namespace and provide the path to the file that you wish to include. For example

```markup
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
```

so let's go to the "check store" request that we've sent to repeater and send the XInclude payload within the productId

```markup
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
```

<div align="left"><figure><img src="/files/9t091QCc04AukrwtsleW" alt=""><figcaption></figcaption></figure></div>

and we have solved the lab&#x20;

<div align="left"><figure><img src="/files/yDyb9s09SrJEtwSOp93o" alt=""><figcaption></figcaption></figure></div>

hope you found this walkthrough easy to understand and follow

Greeting From [<mark style="color:red;">**Sayonara**</mark>](https://github.com/ismail-arame)
