dr.d3v1l Posted June 13, 2016 Report Share Posted June 13, 2016 (edited) Salut Rst , cum as putea exploita complet aceasta xxe ? Am vazut un pic de topic de la owasp , da este local daca nu gresesc da se poate face si remote cred din cate am citit *Ofer o mica suma pentru cine ma ajuta sa gasesc un exploit valid . Edited June 14, 2016 by dr.d3v1l 1 Quote Link to comment Share on other sites More sharing options...
urs Posted June 14, 2016 Report Share Posted June 14, 2016 (edited) @wHoIS te poate ajuta cu xxs Edited June 14, 2016 by urs Quote Link to comment Share on other sites More sharing options...
aelius Posted June 14, 2016 Report Share Posted June 14, 2016 bai labajiule care incerci sa spargi magento. Ce cacat e xxe ? Ne strici ratingul aici 1 Quote Link to comment Share on other sites More sharing options...
dr.d3v1l Posted June 14, 2016 Author Report Share Posted June 14, 2016 7 minutes ago, aelius said: bai labajiule care incerci sa spargi magento. Ce cacat e xxe ? Ne strici ratingul aici xxe = XML External Entity Quote Link to comment Share on other sites More sharing options...
Nytro Posted June 14, 2016 Report Share Posted June 14, 2016 Incearca cu file:// sa citesti de pe disk. Quote Link to comment Share on other sites More sharing options...
aelius Posted June 14, 2016 Report Share Posted June 14, 2016 :)))))))))) Nu merge mare lucru facut. A fost si pe magento vulnerabilitatea asta Quote Link to comment Share on other sites More sharing options...
dr.d3v1l Posted June 14, 2016 Author Report Share Posted June 14, 2016 50 minutes ago, Nytro said: Incearca cu file:// sa citesti de pe disk. am incerca si cuv gopher:// file:// ftp:// php://filter/convert.base64-encode/resource=/etc/passwd , dar nimica . Am log per server de la request dar nu pot citi etc/passwd Quote Link to comment Share on other sites More sharing options...
SirGod Posted June 14, 2016 Report Share Posted June 14, 2016 (edited) Daca e PHP si expect enabled poti incerca command execution, dar ma indoiesc, implicit e disabled. Daca nu reusesti sa citesti fisiere (arata-mi ce ai incercat, poate ai ratat ceva), poti incerca sa faci map la reteaua interna si poate dai de ceva interesant, dar nu cred ca te intereseaza asta: mult de munca, guessing, bruteforce... Edited June 14, 2016 by SirGod Quote Link to comment Share on other sites More sharing options...
TheTime Posted June 14, 2016 Report Share Posted June 14, 2016 Cateva idei: 1. Ai dezvaluit identitatea serverului vulnerabil, te las pe tine sa-ti dai seama cum si unde. 2. Daca esti sigur ca aplicatia web ruleaza pe linux, incearca ssh:// sau ssh2:// wrappers. Poate foloseste vreo versiune de SSH client vulnerabila la RCE... cine stie. 3. Eu nu cred ruleaza pe linux, ci pe windows. Are sens de ce nu poti citi /etc/passwd? 4. Ai gasit o metoda de a exfiltra date? Cum iti dai seama daca poti citi sau nu un fisier de pe disc? SSRF-ul merge, ai incercat sa vezi ce aplicatii web sunt gazduit local / in reteaua interna? http://localhost / https://localhost / http:localhost:8080 / http(s)://10.1.1.1 (bruteforce pe ip-uri) 5. Esti autorizat sa le testezi oamenilor infrastructura, sau...? 1 Quote Link to comment Share on other sites More sharing options...
dr.d3v1l Posted June 15, 2016 Author Report Share Posted June 15, 2016 (edited) 9 hours ago, TheTime said: Cateva idei: 1. Ai dezvaluit identitatea serverului vulnerabil, te las pe tine sa-ti dai seama cum si unde. 2. Daca esti sigur ca aplicatia web ruleaza pe linux, incearca ssh:// sau ssh2:// wrappers. Poate foloseste vreo versiune de SSH client vulnerabila la RCE... cine stie. 3. Eu nu cred ruleaza pe linux, ci pe windows. Are sens de ce nu poti citi /etc/passwd? 4. Ai gasit o metoda de a exfiltra date? Cum iti dai seama daca poti citi sau nu un fisier de pe disc? SSRF-ul merge, ai incercat sa vezi ce aplicatii web sunt gazduit local / in reteaua interna? http://localhost / https://localhost / http:localhost:8080 / http(s)://10.1.1.1 (bruteforce pe ip-uri) 5. Esti autorizat sa le testezi oamenilor infrastructura, sau...? 5) da sunt autizat , doar ca au cerut ce pot exploita . De asta am pus ($$) , dar din cate am mai verificat ... nu merge Edited June 15, 2016 by dr.d3v1l Quote Link to comment Share on other sites More sharing options...