11.7 Lab: Exploiting XInclude to retrieve files | 2024
This lab has a “Check stock” feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don’t control the entire XML document you can’t define a DTD to launch a classic XXE attack. To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file | Karthikeyan Nagaraj
2 min readMar 3, 2024
Description
This lab has a “Check stock” feature that embeds the user input inside a server-side XML document that is subsequently parsed.
Because you don’t control the entire XML document you can’t define a DTD to launch a classic XXE attack.
To solve the lab, inject an XInclude
statement to retrieve the contents of the /etc/passwd
file.
Solution
- Visit a product page, click “Check stock”, and intercept the resulting POST request in Burp Suite.
- Set the value of the
productId
parameter to:
3. Send the request and the lab will be solved
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng