I have identified an XXE vulnerability in an XML parser of an application that allows external entities. I used the below crafted xml to do a get request on localhost on port 9090, and on the same machine where the XML parser runs, I started a listener on the port 9090.
XML file:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE demo [ <!ENTITY ssrf SYSTEM "http://127.0.0.1:9090"> ]> <sample>&ssrf;</sample> Starting listener on the same machine:
nx -klvp 9090 When I run my test in the application, the xml file is consumed and I can see a connection initiated to the listening port. Now I want to advance in my poc and try to get a reverse shell in order to gain a RCE. Is that possible ? I am doing this in order to have an accurate CVSS scoring, because if this vulnerability will let me get an rce, then the score will be critical ( CIA will be high).
expect://PHP URI scheme could be leveraged into an RCE (airman604.medium.com/…). Ditto for Java (horizon3.ai/attack-research/disclosures/…).