用友某软件存在通用XXE漏洞

2016-01-20T00:00:00
ID SSV:93392
Type seebug
Reporter Root
Modified 2016-01-20T00:00:00

Description

简要描述:

详细说明:

1.民生证券 http://.../uapws/

<img src="https://images.seebug.org/upload/201601/200959349c3a44acc3e242c9b2d455dd416569fe.jpg" alt="Snap331.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201601/200959422139a96b8903b7273200e50e815348b3.jpg" alt="Snap333.jpg" width="600" onerror="javascript:errimg(this);">

抓包

POST /uapws/soapFormat.ajax HTTP/1.1 Host: **.**.**.** User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://**.**.**.**/uapws/ Content-Length: 384 Cookie: JSESSIONID=D9A66C6E1C99D59B42D690082C39E02D.server; SaveStateCookie=Server%2Cuap%2Cnc.itf.ses.DataPowerService%2Cnc.itf.ses.DataPowerService%3ADataPowerServicePortType%2Cnc.pubitf.rbac.IUserPubServiceWS%2Cnc.pubitf.rbac.IUserPubServiceWS%3AIUserPubServiceWSPortType%2Cnc.uap.oba.update.IUpdateService%2Cnc.uap.oba.update.IUpdateService%3AIUpdateServicePortType; JSESSIONID=8631851994940C5860B6144F6C85C7DE.server Connection: keep-alive msg=*********

msg的内容我们替换一下

<img src="https://images.seebug.org/upload/201601/20100157959ec80dee5a01a79341121fdb269ead.jpg" alt="Snap334.jpg" width="600" onerror="javascript:errimg(this);">

view-source:http://.../index.jsp 项目目录

<img src="https://images.seebug.org/upload/201601/20100341db7e42bc50a4c30dac0b25a51299758e.jpg" alt="Snap335.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

2.中国建筑工程总公司 http://...

<img src="https://images.seebug.org/upload/201601/2010273056e7f6aef0d1f066eeaa0d913c2decd1.jpg" alt="Snap340.jpg" width="600" onerror="javascript:errimg(this);">

3....:9001/uapws/

<img src="https://images.seebug.org/upload/201601/20102605b38018d2cd22a41e070b8acaf019e373.jpg" alt="Snap339.jpg" width="600" onerror="javascript:errimg(this);">

4.好药网 http://...:8080/uapws/

<img src="https://images.seebug.org/upload/201601/20102538336f72536ef55a7db6e4573cef20c133.jpg" alt="Snap338.jpg" width="600" onerror="javascript:errimg(this);">

5.http://.../uapws/

<img src="https://images.seebug.org/upload/201601/2010303510404103948efdca122e4906d7fc69a4.jpg" alt="Snap341.jpg" width="600" onerror="javascript:errimg(this);">