## https://sploitus.com/exploit?id=8E7B8DC5-6BEE-5C5C-AF25-4ABCFA375006
# DevArea SOAP Exploitation Tool (CVE-2022-46364)
### Description
This specialized exploit targets the **DevArea** environment on **Hack The Box**. It leverages a critical vulnerability in **Apache CXF 3.2.14** (CVE-2022-46364) to perform **Local File Inclusion (LFI)** and **Server-Side Request Forgery (SSRF)**.
The script abuses the **MTOM/XOP** (Message Transmission Optimization Mechanism) processing engine. By injecting an `` element, we force the server's `AttachmentDeserializer` to fetch local system files or internal network resources and reflect them back in the SOAP response.
### Features
* **Automated Multipart Construction:** Handles the complex `multipart/related` structure required to trigger XOP processing.
* **LFI/SSRF via XOP:** Supports `file:///` for local files and `http://` for internal service scanning.
* **Smart Extraction:** Automatically identifies the `` tag and decodes the Base64 content into readable text.
---
### Prerequisites
* Python 3.x
* `requests` library (`pip install requests`)
### Usage
```bash
python3 exploit.py -u http://machinename.htb:8080/employeeservice -f /etc/passwd
```
#### Arguments
* `-u, --url`: Target SOAP endpoint (usually `http://devarea.htb:8080/employeeservice`).
* `-f, --file`: Absolute path to the file you wish to read (e.g., `/etc/passwd`).
### How It Works
1. **The Request:** The script sends a POST request with a custom `boundary` and `Content-Type: multipart/related`.
2. **The Injection:** It crafts a SOAP envelope where the `content` field contains an XOP pointer to the desired file.
3. **The Response:** Since the server treats MTOM attachments as binary data, it encodes the file content in **Base64** within the `` tag.
4. **The Decode:** The script captures this string, decodes it, and prints the cleartext content to your terminal.
### Disclaimer
This tool is intended for use in **Hack The Box** CTF environments and authorized security testing only.
---